Alternatives to Cookies
In recent years, many alternatives have been proposed to cookies, mainly by companies that already use cookies, like Google and Facebook. The purpose of these alternatives is not to secure anonymity on the web. Rather, these companies want to replace cookies with mechanisms that are even more damaging to web anonymity.
Facebook provides a great example of what these mechanisms might be. Facebook is on the verge of releasing software that will track how long your cursor hovers over certain parts of a screen. If your cursor is hovering over your newsfeed before it clicks on a targeted ad, Facebook wants to know that. Similarly, if you hover over a targeted ad and decide not to click on it, Facebook wants to know that. Since cookies are just text files, it's impossible for them to provide functionality like this. They can't "spy" on your cursor's position on the screen. So Facebook wants to replace cookies with actual deployed software.
Google, meanwhile, wants to replace cookies with so-called AdIDs. An AdID is similar to a cookie in that it differentiates your browser from all other browsers. But an AdID would go much further in its attempts to gather information about you. Google will use AdIDs to monitor everything that you do on any Google-related service. This includes not only most of the Internet, thanks to Google AdWords, but also everything you do on your Android phone. It shouldn't be too difficult for Google to implement a fully-fledged AdID system. Apple, as a point of reference, has been using AdIDs for years.
Another idea to use IP addresses to validate sessions. This approach makes it impossible for hackers to intercept cookies, as they do not exist. Users wouldn't have to store information on their browsers anymore, and since IP addresses are already standardized, this system could be put in place quite quickly. This downside of this method is that servers wouldn't be able to distinguish between multiple computers under the same IP address. Additionally, if the user is operating behind a VPN, the website would not have an IP address to match against.
Facebook provides a great example of what these mechanisms might be. Facebook is on the verge of releasing software that will track how long your cursor hovers over certain parts of a screen. If your cursor is hovering over your newsfeed before it clicks on a targeted ad, Facebook wants to know that. Similarly, if you hover over a targeted ad and decide not to click on it, Facebook wants to know that. Since cookies are just text files, it's impossible for them to provide functionality like this. They can't "spy" on your cursor's position on the screen. So Facebook wants to replace cookies with actual deployed software.
Google, meanwhile, wants to replace cookies with so-called AdIDs. An AdID is similar to a cookie in that it differentiates your browser from all other browsers. But an AdID would go much further in its attempts to gather information about you. Google will use AdIDs to monitor everything that you do on any Google-related service. This includes not only most of the Internet, thanks to Google AdWords, but also everything you do on your Android phone. It shouldn't be too difficult for Google to implement a fully-fledged AdID system. Apple, as a point of reference, has been using AdIDs for years.
Another idea to use IP addresses to validate sessions. This approach makes it impossible for hackers to intercept cookies, as they do not exist. Users wouldn't have to store information on their browsers anymore, and since IP addresses are already standardized, this system could be put in place quite quickly. This downside of this method is that servers wouldn't be able to distinguish between multiple computers under the same IP address. Additionally, if the user is operating behind a VPN, the website would not have an IP address to match against.
The URL query string is another proposal that utilizes existing technology. You can see how a URL might be used to encode session information in the above graphic. Servers might send an ID string to the browser using the URL. When the browser sends a request back, it will include that query string in its URL. This parallels the mechanism of cookie IDs. One drawback of this approach is that URLs are static. In other words, if the user reloads a particular URL at a later date, or sends his URL to another user, the same preferences as before will display. Most web experts agree that cookies remain the most reliable method of user information storage today.
Future of Cookies
Someday we may look back on cookies as a quaint step on the road to a complete lack of anonymity on the web. We may be grateful in retrospect for the fact that cookies are just little text files that can't actively "spy" on you. This is not to suggest that we shouldn't be concerned with the deleterious effect of cookies on web anonymity. We should just be aware of the fact that the cookie debate might be just a prelude to a much more vicious, higher stakes debate over advanced web technologies that eradicate anonymity altogether. Many of the protections that we advocate against cookies--deleting cookies from your browser, for example--may not be effective against second-generation web technologies.
References
Edwards, Jim. "Think Cookies Hurt Your Privacy? You'll Beg For Their Return Once You See What Google And Facebook Are Planning." Business Insider. http://www.businessinsider.com/google-and-facebook-to-replace-cookies-2014-2 (accessed March 18, 2014).
Rosenbush, Steve. "Facebook Tests Software to Track Your Cursor on Screen." The CIO Report. http://blogs.wsj.com/cio/2013/10/30/facebook-considers-vast-increase-in-data-collection/ (accessed March 18, 2014).
Vaughan-Nichols, Steven J. “Cookies may disappear, but privacy isn’t coming back.” ZDNet. October 31, 2013. http://www.zdnet.com/cookies-may-disappear-but-privacy-isnt-coming-back-7000022680/
Photos: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
Rosenbush, Steve. "Facebook Tests Software to Track Your Cursor on Screen." The CIO Report. http://blogs.wsj.com/cio/2013/10/30/facebook-considers-vast-increase-in-data-collection/ (accessed March 18, 2014).
Vaughan-Nichols, Steven J. “Cookies may disappear, but privacy isn’t coming back.” ZDNet. October 31, 2013. http://www.zdnet.com/cookies-may-disappear-but-privacy-isnt-coming-back-7000022680/
Photos: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/