A cookie is a small text file that the web server (or websites you visit) can save on the user’s hard disk with a certain expiration period. It has information saved in name-value pairs and can be retrieved by the server that wrote it before expiry.
Contrary to some myths, this file is not executable, that is, it cannot do anything of its own, it is just a text file sitting on your hard disk.
Put very bluntly, cookies are used for 1) personalizing your web experience and 2) improving website performance (e.g. loading speed).
Without cookies, your user experience of the web could be seriously degraded, or even fail entirely. A basic example is if you have a login with a username and password, without cookies, you would have to log in every time you visit the site. With cookies, the site can keep you logged in as it saves this information on your machine.
Let me take a quick detour here and take you through the engineering lane to understand how and when these cookies are set up.
The journey starts when your browser (say Chrome) calls a server (like medium.com) to load some content.
The browser sends a request, and when the server (medium.com) returns the response to this request, it can ask the browser to set or update data in the cookies (store a text file locally).
Now next time, when the server is opened up (medium.com), the browser can send this local data to the server. And this is how cookies can be created, updated, and utilized.
Okay, enough requests and responses now 😵💫, let’s move ahead.
Till now, everything seems okay or positive for us as users because we have covered majorly constitutes First Party Cookies, i.e. cookies setup by the website you visit. This is where our detour will help us, remember cookies can be set up by any server that our browser is calling to load content.
Now, if on a website, some content is served up by other sites like say ads, these websites can also set cookies. This is where Third Party Cookies are introduced, cookies written on your disk by sites other than the one you are visiting.
Third-party cookies are where things start getting fishy😶.
Imagine you go to 5 websites — all serving company Xs ads. Each website will call this company’s server to load ads- this is where X can write cookies to your disk about your interaction with all these 5 sites ( for e.g. you spent time looking at a bicycle )
Now when you open the 6th website which also uses Company X, it will retrieve the cookies it saved and curate personalized ad content accordingly (Cool bicycle ads at heavy discounts 🤑).
And voila, you have ads creepily following you around. This is called Cross Site Profiling and is the center of scrutiny cookies receive because this breaches your privacy.
As awareness about third-party cookies increased, consumers started to be mindful of their privacy, and companies were forced to take steps. Most of the browsers introduced permissions to be taken before third-party cookies, while some completely banned their use.
In fact, Google recently announced its complete transition to the cookieless world by 2023-end. Apple made headlines with its latest App Tracking Transparency which will prompt users for permission before tracking.
Android is expected to follow Apple’s lead and move towards the cookieless world. This will shut down most of the targeting methods which depend on cookies.
But as history goes, where there is a will there is a way, and companies always find new ways to go around and will keep serving personalization to the digital experience.
This cookieless world will probably lead to IP Fingerprinting — where users will be identified using a combination of different parameters like IP address, browser preferences like fonts, color mode, and a myriad of other parameters. Then there are solutions that are working towards server-side tracking for building a rich profile of the users. We will have to see how the world will adapt as cookies disappear slowly but one thing is sure, it is bound to change.
One such innovative solution stems from the much-talked-about Web3 infrastructure, based on trustless decentralized systems where the community holds the power. It is not tough to draw parallels between the definition and what we need in a cookieless world.
Imagine a system, that can track user activities to reward publishers for their advertisements while not revealing a single thing about the user. Where users will be rewarded for their attention, will be consented to before tracking them and all this time their data will never be shared. Sounds too good to be true, but concepts like Cryptography and Zero-Knowledge proofs enable web3 to come up with exactly these kinds of solutions. And to top it all, there will be no organization defining what happens when and how - there will be decentralized servers running on pre-defined algorithms taking care of all this.
I am working on something similar at Intract, it’s still in the early phases but can potentially change the cookieless tracking for good. But how will such systems work, will they be accepted, and how will Web2 giants react to it, are people really concerned about privacy this much, there are a lot of questions around it, out there to be solved, to be thought upon by folks like you and me.
I hope I was able to settle some questions and curiosities while leaving you with some more to ponder upon. There are a lot of terms and concepts that I introduced in this article, but delving deeper into them would be out of the scope of this blog. While blogs have a defined scope, conversations can meander around, and therefore, I would love to connect and discuss the thoughts you have. Hit me up, comment, or directly just ping away.