.

Uncontrollable third-party cookies on the edge of legality

Nowadays, many online service providers rely on third-party software and services in order to provide their own offerings.

The diverse requirements placed on even simple service or information platforms have become far too complex. For example, tools for evaluating user statistics such as Google Analytics are relevant for many sites in order to measure and improve the user experience. Or reference is made to external libraries in order to integrate functions, symbols and icons into one's own website.

However, in order to meet security and data protection requirements, the operators of an online offering need to know exactly what the external helpers are doing and what actions are being carried out in the background. There is a huge problem here, especially when it comes to cookies. This is because website operators often have little idea how many cookies are actually set by the actual third-party provider of a service or even by fourth or fifth parties, who in turn cooperate with the actual third-party provider or even act abusively.

Unpredictable origin of cookies and lack of control for blog operators

An example: A blog operator uses an ad network to automatically place ads on his blog in order to earn some money or simply to cover server costs. This ad network sets cookies from its own network in the browsers of its website visitors and possibly also cooperation partners of the ad network set further cookies. In addition, cookies are set by countless advertisers who place ads in the ad network. For the blogger, it is almost impossible to track who sets which cookies for visitors to their blog.

Study on problematic third-party cookies

Tobias Urban, Thorsten Holz, Martin Degeling from the Ruhr University Bochum and Norbert Pohlmann from the Institute for Internet Security have taken a closer look in the study "Beyond the Front Page: Measuring Third-Party Dynamics in the Field", they dealt in detail with the problem of so-called third-party cookies. We would like to summarize the most important findings in this article.

For the study, 10,000 websites and their behavior when setting cookies were examined. The security researchers came to the following conclusions:

  • A single third-party cookie can lead to up to eight different cookies being reloaded from different sources
  • Which cookies are set is often unpredictable. For around 50% of cookies, the type and origin change after repeated visits to the website
  • 93% of third-party cookies originate from regions other than the actual website and are therefore subject to different legal conditions (keyword: data protection legislation)
  • 45% of all websites set more cookies on subpages than they do on landing pages
  • If a website visitor navigates from the landing page of a website deeper into the website structure and moves around there, the number of cookies used increases by an average of 36% (!)
  • The majority of misuse cookies are set on the subpages that unsuspecting users navigate to after visiting a landing page

If cookies are misused, it is usually so-called "malvertising" or "cryptominer". Malvertising" refers to the loading of advertising banners corrupted by viruses. "Cryptominers" use the computer capacity of the attacked computer to mine Bitcoins or other cryptocurrencies. However, this affects less than 1% of the total number of cookies examined.

Conclusion

The online marketing industry still has a lot to learn. The drastic measures taken by regulators in recent years and months appear to be entirely justified in the light of the study presented here. If the industry does not fight back against the black sheep and their unrestrained data collection, moderate and well-founded marketing functions will also fall by the wayside.