Photo credit: Associated Press
Welcome to the website dedicated to cookie privacy! We feel that very few people understand the intricacies of how cookies work and how they compromise privacy on the Internet. And so we made a website about it. We hope it answers all your questions.
If you don't have time to browse an entire website about cookie privacy, here's the essential point to remember: if you have cookies enabled, you cannot be anonymous on the Internet.
A claim like that requires a convincing explanation. Many of us, after all, cling to this idea that the Internet is the ultimate anonymous space. We make throwaway accounts on Reddit, we post some silly stuff, and we assume that no one could possibly trace that silly stuff to our computer. Maybe we don't just post silly stuff. Maybe we post offensive, racist, sexist, or disturbing content, either because we sincerely have racist sentiments or because we're just trying to "troll." Either way, we rationalize that it doesn't matter because no one will ever trace this offensive content to our real identities.
This is absolutely untrue. Companies like Google have such a strong presence on the Internet that they can use cookies to track your browser everywhere. With cookies, Google may not be able to figure out what we're doing on particular websites, but Google can at least establish that we're visiting certain websites at particular times. And Google's ability to track you will only improve in the years to come, as web technologies improve.
The most natural response to this tracking is to suggest regulation. It may seem as though government intervention could stamp out tracking. To some extent, this is true. If the government mandated tomorrow that no websites could use cookies anymore, then Google couldn't track us with cookies. But it would be nearly impossible for the government to just "ban" cookies, because it would destroy the Internet as we know it. The Internet depends on this idea of "sessions"--that once you log in to a website, the website can differentiate you from other people using the website. As the Internet currently exists, this sort of functionality is only possible with cookies.
(If you're still unclear on what cookies are, you can find a complete breakdown here. Hopefully it answers all your questions.)
So what if the government only banned certain types of cookies? This is essentially what the EU tried to do in 2009, when it tried to ban non-essential cookies. But this opens up a whole new can of worms. Suddenly the government is obliged to define what an essential cookie is, which turns out to be very difficult. It might seem as though the government could just offer a list of "approved" cookies. Cookies that didn't implement some particular feature would be illegal. But this approach has several problems. For one thing, it would suddenly be impossible to innovate with cookies. There's also another, deeper problem. Let's say that the government says that only cookies of type X are legal. On a low level, a cookie is just a key-value pair. Put more simply, a cookie is a string of text. How is a government regulator supposed to look at a string of text and decide if that text is of type X? This is a surprisingly difficult problem.
Adding to the problem is the fact that there are literally millions of websites on the Internet that would need to be policed, many of them hosted in foreign countries over which the US has no jurisdiction anyway.
Thus far we've only discussed the practical difficulty of getting rid of cookies, but there's another, more abstract way of looking at the problem. Nearly all of us would like to be anonymous on the Web, in an ideal universe. But nearly all of us would also like the Web to be customized to our preferences, and to respond to us like we're unique human beings. We have an interest in building an Internet in which our browser is treated differently from other browsers. There is a fundamental tension between these two desires: anonymity on the one hand, and customization on the other. It seems impossible to build a Web that is both fully customizable and also fully anonymous. Either websites can "recognize" your browser, or they can't.
This is not to suggest that the campaign against tracking cookies is hopeless. We might be able to improve anonymity while retaining some customization. But the idea that the Internet will ever be completely anonymous is unrealistic. We would have to seriously pare down our expectations for what websites should do. The EU cookie law is an excellent example of what happens when websites try to pare back cookies. Many websites tried to enforce the EU cookie law, only to discover that their traffic dropped by as much as 90%. Web industry advocates claimed that the EU cookie law would annihilate the Internet as we know it. This may be hyperbole, but it does seem to be true that a completely anonymous Internet is not an achievable goal if we want to preserve the Internet's functionality.
Here's the essence of the problem: the Internet is not anonymous now, it hasn't been anonymous for a very long time, and it will likely become even less anonymous in the future. It's good and valuable for us as citizens to debate which cookies are good and which are bad. We should absolutely pursue initiatives like Do Not Track in the hope that they will reign cookies in. But the Internet will never be completely anonymous, and as consumers of content on the Internet, it is absolutely urgent that we stop treating it as such. If you create a throwaway account on Reddit and then post shocking comments with it, a company like Google may be able to associate those comments with your Gmail account, which is probably tied to your real name. Until we realize that our online identities can easily be tied to our offline identities, we are not navigating the Internet safely.
If you don't have time to browse an entire website about cookie privacy, here's the essential point to remember: if you have cookies enabled, you cannot be anonymous on the Internet.
A claim like that requires a convincing explanation. Many of us, after all, cling to this idea that the Internet is the ultimate anonymous space. We make throwaway accounts on Reddit, we post some silly stuff, and we assume that no one could possibly trace that silly stuff to our computer. Maybe we don't just post silly stuff. Maybe we post offensive, racist, sexist, or disturbing content, either because we sincerely have racist sentiments or because we're just trying to "troll." Either way, we rationalize that it doesn't matter because no one will ever trace this offensive content to our real identities.
This is absolutely untrue. Companies like Google have such a strong presence on the Internet that they can use cookies to track your browser everywhere. With cookies, Google may not be able to figure out what we're doing on particular websites, but Google can at least establish that we're visiting certain websites at particular times. And Google's ability to track you will only improve in the years to come, as web technologies improve.
The most natural response to this tracking is to suggest regulation. It may seem as though government intervention could stamp out tracking. To some extent, this is true. If the government mandated tomorrow that no websites could use cookies anymore, then Google couldn't track us with cookies. But it would be nearly impossible for the government to just "ban" cookies, because it would destroy the Internet as we know it. The Internet depends on this idea of "sessions"--that once you log in to a website, the website can differentiate you from other people using the website. As the Internet currently exists, this sort of functionality is only possible with cookies.
(If you're still unclear on what cookies are, you can find a complete breakdown here. Hopefully it answers all your questions.)
So what if the government only banned certain types of cookies? This is essentially what the EU tried to do in 2009, when it tried to ban non-essential cookies. But this opens up a whole new can of worms. Suddenly the government is obliged to define what an essential cookie is, which turns out to be very difficult. It might seem as though the government could just offer a list of "approved" cookies. Cookies that didn't implement some particular feature would be illegal. But this approach has several problems. For one thing, it would suddenly be impossible to innovate with cookies. There's also another, deeper problem. Let's say that the government says that only cookies of type X are legal. On a low level, a cookie is just a key-value pair. Put more simply, a cookie is a string of text. How is a government regulator supposed to look at a string of text and decide if that text is of type X? This is a surprisingly difficult problem.
Adding to the problem is the fact that there are literally millions of websites on the Internet that would need to be policed, many of them hosted in foreign countries over which the US has no jurisdiction anyway.
Thus far we've only discussed the practical difficulty of getting rid of cookies, but there's another, more abstract way of looking at the problem. Nearly all of us would like to be anonymous on the Web, in an ideal universe. But nearly all of us would also like the Web to be customized to our preferences, and to respond to us like we're unique human beings. We have an interest in building an Internet in which our browser is treated differently from other browsers. There is a fundamental tension between these two desires: anonymity on the one hand, and customization on the other. It seems impossible to build a Web that is both fully customizable and also fully anonymous. Either websites can "recognize" your browser, or they can't.
This is not to suggest that the campaign against tracking cookies is hopeless. We might be able to improve anonymity while retaining some customization. But the idea that the Internet will ever be completely anonymous is unrealistic. We would have to seriously pare down our expectations for what websites should do. The EU cookie law is an excellent example of what happens when websites try to pare back cookies. Many websites tried to enforce the EU cookie law, only to discover that their traffic dropped by as much as 90%. Web industry advocates claimed that the EU cookie law would annihilate the Internet as we know it. This may be hyperbole, but it does seem to be true that a completely anonymous Internet is not an achievable goal if we want to preserve the Internet's functionality.
Here's the essence of the problem: the Internet is not anonymous now, it hasn't been anonymous for a very long time, and it will likely become even less anonymous in the future. It's good and valuable for us as citizens to debate which cookies are good and which are bad. We should absolutely pursue initiatives like Do Not Track in the hope that they will reign cookies in. But the Internet will never be completely anonymous, and as consumers of content on the Internet, it is absolutely urgent that we stop treating it as such. If you create a throwaway account on Reddit and then post shocking comments with it, a company like Google may be able to associate those comments with your Gmail account, which is probably tied to your real name. Until we realize that our online identities can easily be tied to our offline identities, we are not navigating the Internet safely.