Uncontrollable third-party cookies on the edge of legality

Today, many online service providers rely on third-party software and services to deliver their own offerings

The diverse requirements placed on even simple service or information platforms have become far too complex. For example, tools for evaluating user statistics such as Google Analytics are relevant for many sites in order to measure and improve the user experience. Or external libraries are referenced to integrate functions, symbols and icons into one's own website.

However, in order to meet the demands of security and data protection, the operators of an online offer must know exactly what the external helpers are doing and what actions are being carried out in the background. This is where things get sticky, especially when it comes to cookies. Because often the website operator has hardly any idea how many cookies are actually set by the actual third-party provider of a service or even by fourth or fifth parties, which in turn cooperate with the actual third-party provider or even act abusively.

Unpredictable origin of cookies and lack of control for blog operators

An example: A blog operator has ads placed on his blog automatically by an ad network in order to earn some money or simply to cover server costs. This ad network sets cookies from its own network in the browsers of its website visitors and possibly also cooperation partners of the ad network set further cookies. In addition, cookies are then set by countless advertisers who place ads on the ad network. For the blogger it is hardly comprehensible who sets which cookies for the visitors of his blog.

Study on problematic third-party cookies

Tobias Urban, Thorsten Holz, Martin Degeling from the Ruhr University Bochum and Norbert Pohlmann from the Institute for Internet Security have looked into the issue in the study "Beyond the Front Page: Measuring Third Party Dynamics in the Field", they dealt in detail with the problem of so-called third-party cookies. We would like to summarize the most important findings in this article.

For the study, 10,000 websites and their behaviour when setting cookies were examined. The security researchers gained the following insights:

  • A single third-party cookie can lead to up to eight different cookies being reloaded from different sources
  • Which cookies are set is often unpredictable. For about 50% of cookies, the type and origin change after repeated visits to the website
  • 93% of third-party cookies originate from regions other than the actual website and are therefore subject to different legal conditions (keyword: data protection legislation)
  • 45% of all websites set more cookies on subpages than they do on landing pages
  • If a website visitor navigates from the landing page of a website deeper into the website structure and moves there, the number of cookies used increases by an average of 36 % (!)
  • Most abuse cookies are set on the subpages that unsuspecting users navigate to after visiting a landing page

If an abusive use of cookies occurs, it is usually so-called "malvertising" or "cryptominer". Malvertising" is the loading of advertising banners corrupted by viruses. "Cryptominer" use the computer capacities of the attacked computer to mine Bitcoins or other cryptocurrency. However, this affects less than 1% of the total cookies examined.


The online marketing industry still has a lot to learn. The drastic measures taken by the regulatory side in the past years and months seem to be quite justified in the light of the presented research. If the industry does not defend itself against the black sheep and their unrestrained data collection, even moderate and justified marketing functions will fall by the wayside.