About (temporary!)

I came across a website a couple of days ago that has the usual, rather useless cookie notice generated as the site claims several times by some random cookie policy generator. Ok so it has the usual three options, accept, decline, or see more information. But I was rather surprised that clicking ‘decline’ threw me to Google which then wanted me to agree to it’s own cookies. Not a good start. On further analysis, the ‘decline’ button URL is… Google.com! Big fail. The cookie notice itself is the usual waffle and on the positive side, if there is one, it does tell you all the evil it committing. In one section it does state that the third party cookie being set lasts forever and is used to track your cross the whole of the web. Of course, it has set all the cookies before you even agree. Fail number 2. In all the site sets 32 cookies, 8 of which are third party; and it causes your browser to make over 200 requests to nearly 60 different IP addresses. And the cookie policy generator they used? It has a short disclaimer basically saying they’ve no real idea what they are doing and only provide the generated cookie notice for informational purposes. Ugh. No, I'm not going to give the URL, and anyway I forgot about it ages ago the website was so useless...

When browsing to a website that site may set cookies for itself or third party cookies. I am not delving into this here, suffice to say that third party cookies are generally considered the ones to avoid at all cost. But how do you know what cookies are being set? I use three different browsers across the systems I use personally. Safari on my iPhone usually has cookies disabled completely. I use Safari and Brave on the Mac. On my Linux PC I use Firefox with not specific settings but set to delete cookies on exit. And on my Windows PC I use a mixture of Firefox and Brave, but I rarely use this system to browse websites other than a select few that I use regularly. This works for me, but generally speaking is not a good solution for ‘the many’ because things will break. So… Safari on the Mac tells me what trackers have been prevented from profiling me. Brave has a similar function. A comic website that I used to browse daily sets 17 cookies regardless of whether I reject or accept them. Enter a website that I discovered today while reviewing content on the excellent noyb.eu. https://webbkoll.dataskydd.net/en The code behind this website analyses websites and shows all sorts of things including cookies set, and also requests made to other servers – when you browse to a website very often that site causes your browser to visit other sites for parts of the whole, media and imagery for example. One must remember it is not the website you visit doing this, it is that website causing your browser to do it. The webbkoll website teases all of this out and displays it for you to see. I was rather surprised to note that webbkoll finds 53 cookies at the comic website! That may in part be because Safari genuinely blocks some, but to get down to 17 from 53 this is quote a lot. Webbkoll details them all too. Webbkoll is definitely another very useful tool when trying to figure out what a given website is trying to do.

No, not statistics in itself. The problem I am writing about is website statistics, and it started a long time ago. Back in the day we simply used web server logs to analyse website traffic. One could see an incoming IP address and see where the associated browser went in the website. This worked well back then as websites were simple affairs and essentially all one big lump. Of course, this was an era when web servers were run almost in the spare time of those few IT (and indeed non-IT) that had any interest in the web. Back then I was not in the central IT team but I was afforded some latitude for experimenting with new things, especially when redundant hardware could be used. It was 1992 and the IMG tag was still in the realm of fantasy. Later, there were two open source packages that became very popular, one called Analog and the other Linklint. The former produced statistics about website visitors and the latter could be used to check for errors, missing pages for example. Analog could, when provided with valid data estimate which countries visitors were coming from, very useful when your organisation markets itself globally. Of course, the marketeers desired more. I was once asked to find out where everyone who only looked at our home page went next. Ok, where they visited another of our own web servers this was do-able, but the question was expanded to ask which of our competitors they visited next. This was new thinking, by which I mean thinking that one could not associate with any other media. For example, if the publisher of one newspaper wanted to know which other newspaper a person took after only glancing at their own it would need some form of physical surveillance, or perhaps a questionnaire. Neither would be particularly reliable, the questionnaire in particular. Enter, stage left, Google Analytics. I had attended a launch event – well of a sort anyway – where a new product was described which would enable one to search all across the web. The name? Google. We had rudimentary search products by this time but nothing like what was being described. Bells were ringing, but rather quietly. I think we could see back then that all of a sudden content has value, just not to us. But, Google search aside we later got wind of Google Analytics ad the bells got louder amongst those of us who could already see future issues. Google Analytics arrived with two quite major advantages. First, IT people no longer had to do anything, and second, the marketeers would have access to easy to understand graphs. But those of us who had this nagging voice about global surveillance and the fact that a corporate entity would effectively have access to data indicating where everyone browsed were ignored. Fast forward to the later times of the GDPR and the coming soon and already years late PECR replacement, cookie laws and all…

Cookies, and cookie banners or notices have been around for a long time now. These notices are aimed at gaining consent to process personal information but it is often hard to see what that actually means. There are times it must happen, for example to provide a service or a product the company concerned does need to know who you are. But the spread of cookies across the Web has a far more sinister use and is often not understood by the general public. There have been all manner of attempts to cure the cookie issue over the past few years and the current crop of browsers have options to cut out third party cookies, for example. But the issue persists, in part because some websites simply ignore the rules or exist in jurisdictions where they do not apply, and in part because websites adapt to use first party cookies for the same purposes as before. The marketeers will no doubt argue that nothing comes free, and I accept that to a point. While it may well be fair game for the likes of Facebook to monetise my data because the platform itself dopes not cost me to use, the desire to track my activities outside of Facebook is the opposite. Advertising is, of course part of everyday life. Commercial radio and television rely on it in order to present programmes at no cost to the end user - the viewing and listening public. But these large companies - the likes of Facebook and Google - have stepped way outside the circle that one may consider to be reasonable. While radio and TV adverts are one way, that is they do not know I have watched them or listened to them, when an advert on a website is presented the fact I have clicked on it can be recorded. I will expand on this next. Take for example a TV advert. If one watches the advert and then calls the company, or if one buys a product and there is a card asking how one found it, any response is voluntary. Responses can be used to gauge the success of the advert. This is the old way of things, still relevant today. Now take an advert on the web. By simply clicking on the advert the vendor or, more probably the advertising agency can see that the advert has been clicked. If one then proceeds to a purchase that too can be recorded and the data tied together. This can form a profile of the specific user. However, we need to go one step further. All this data can be connected across many websites such that a user can be profiled and tracked across disparate purchases across many websites. This gives the advertisers far more detail than would be achieved by voluntary submissions to surveys and such. And the user has little choice. This data can then be used to form an advertising strategy and show that user adverts for…