Got Web Beacons, Tracking Cookies or Browser Fingerprinting?

Web BeaconsWeb beacons, tracking cookies, pixel trackers and browser fingerprinting are used increasingly on college and university web sites. Unfortunately, most CIO’s and Chief Marketing Officers have very little knowledge of these web trackers presences and are naive as to their uses. In my opinion this is a significant problem for higher education that could kill any momentum in growing online learning, learning analytics, gamification, and existing uses of cloud services. But let’s not get ahead of things just yet.

Internet tracking has become so sophisticated it has been referred to as the new arms race by researchers as the University of Washington. The problem is so vast I struggled with how to best break it into manageable pieces while still keeping it interesting and valuable.

So to kick things off I thought I should start with an overview of the most common forms of web tracking used today. There are other forms such as the use of ETags (entity tags), Visited Link Coloring and some other less common forms. But for now, I will focus on browser fingerprinting, cookies, Flash Cookies (LSO), and web beacons (web bugs).

Browser Fingerprinting

Browser fingerprinting is becoming increasingly useful to third party trackers and data aggregators as a way of matching known personal information with anonymous and pseudoanonymous data collected online. This is done by collecting the basic technical details about your browser, browser settings, IP address. These data elements are often noted in the site’s privacy policy as being anonymous and very innocuous.

Perhaps the best way to understand this is for you to use the Electronic Freedom Fronties latest research tool Panopticlick  to see just how unique and trackable your browser settings are.

Browser Fingerprinting Panopticlick Results

According to my browser fingerprint test using Panopticlick it would be very easy to track me while gathering anonymous and pseudoanonymous browsing history data and match it on the back end to personally identifiable data.

What are Cookies

Cookies are small bits of data downloaded and stored text by a user’s browser from web pages they visit. Their purpose is to store bits of information about your interaction with the website and its content. Contrary to popular belief, cookies do not contain software or programs.

The primary use of cookies is by site operators to record and remember any preferences you have selected for viewing the site as well as what features you have used, what content you have seen, and what actions you have taken so that if you return to the site at a later time it will remember you and your prior visits.

First-Party Cookies

There are several types of cookies that are classified by how they function and who sets them. First-party cookies are the ones most people are familiar with which are set by the website owner and have the same domain name as the site.  So if you visit the University of Virginia website at Virginia.edu you will get several first-party cookies downloaded into your browser. The details of one of the site preference cookies are shown here:

First-Party Cookies

Third-Party Cookies

Third-party cookies function the same way but are cookies downloaded from a website that are not from the website domain. Third-party cookies are also called third-party tracking cookies, or tracking cookies, because their primary use is to accumulate long term browsing histories that is used by third parties.

One of the more common uses of third-party tracking cookies used heavily is for behavioral analytics to tailor online advertising or content to site visitors. So when visiting portions of the University of Virgina such as their News page you will get two third-party tracking cookies from ShareThis.com shown one that expires in a few hours but the other, shown here, won’t expire for a year.

Third-Party Cookies

Some third-party tracking cookies used for site analytics are actually set by using the site owner’s domain as with Google Analytics making this an even messier situation to sort out.

What are Flash Cookies LSO

Flash cookies also known as “local shared object” (LSO) are pieces of information that Adobe Flash might store on your computer. This is designed to save data such as video volume preferences or, perhaps, your scores in an online game.

The difference between Flash cookies and a browser cookie is that they are not stored in your browser which makes blocking and deleting them harder. This makes them more controversial because several unsavory companies have used them as “cookie backups” to reload cookies back onto your computer if you delete them as “cookie backups”

What are Web beacons

Web beacons are very small, usually invisible, objects embedded into a web page or email. Web beacons are also referred to as , which also go by the names “web bugs”, “tags”, “tracking bugs”, “pixel trackers” or “pixel gifs“.

In their simplest form they are tiny clear images the size of a single pixel that loads as an image when the web page is loaded or the email opened by making a call to a remote server for the image. The server call alerts the company that their email has just been opened or their web page visited.

Web beacons are used heavily by companies that want to track when their emails are opened.This has also made them attractive for spammers that use them to verify active email accounts by sending emails with pixel trackers embedded in them. This is why you should not display images in emails from senders you do not trust.

Web beacons are also used by online advertisers who embed web beacons into their ads so they can independently track how often their ads are being displayed.

This is just the beginning of what I hope will be an enlightening set of posts.

This entry was posted in Privacy and tagged , , , , , , . Bookmark the permalink.

8 Responses to Got Web Beacons, Tracking Cookies or Browser Fingerprinting?

  1. Kyle James says:

    Great post with information that people should learn more about. I wrote this article years ago on the four types of clickstream data. There is some overlap but I just wanted to include it to help people get the complete picture here.

  2. Pingback: Facebook Like Button Violates University Privacy Policy

  3. Pingback: Tracking the Trackers on College and University Web Sites

  4. Parigi says:

    Gotta love web bugs. The later part of my programming with Evil Marketing Company(TM) deeald with them, along with a rather ingenius (translation: evil) javascript app. Company signs up, we give them a one-line JS include code to put on all their web pages. What it does it goes through every link, every form, anything that could be acted upon… looked at it’s onClick/whatever code, shunted it off to an object and replaced with our code that 1) runs the original code, if any and 2) notified us of any action you made on that page via web bugs.

    Collecting form data was the big thing here, reporting it to us even if you close the web browser before submitting the data.It also used cookies to track the user’s state, but since this was all implemented in JS, the cookie was actually set within the realm of the client’s site! This mean it got around IE6′s pesky ignore-3rd-party-cookies-by-default thing.The client could go in and design a visio-like diagram of how our shit integrated into their site. IE, user enters shopping cart site, puts something in their cart, then proceeds to checkout.

    Nowadays the first thing they ask you for is your email address when you check out. Say user puts in email address, but does not finish checkout. Our system sends them an email, giving them an incentive to finish checking out. Say 10% off the purchase. If they leave before an email addess was collected, you may get hit with a popup.Evil. Clever, but evil.

    • The Higher Ed CIO says:

      Parigi – Thank you for your behind the scenes insight. If more people really knew what was happening with the widgets and plugins they use they might think twice about using them or at least be more honest with their site visitors.

  5. Schneek says:

    I have learned some good stuff here. Now I just need to decide what to do with it.

  6. Pingback: EFF Introduces Panopticlick for Browsing Privacy

Leave a Reply

Your email address will not be published. Required fields are marked *


9 + = 15

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>