During my Web Analytics studies at UBC, an interesting topic arose that was the centre of some lively discussion:

Is the use of cookies to track online behaviour an invasion of privacy?

If you were watching the news lately, you’d think they probably were. Last week, the White House caught quite a bit of flack about using web beacons (a.k.a., web bugs) and persistent cookies on their website, http://www.whiteHouse.gov. Interestingly enough, the use of web beacons (in a nut shell, JavaScript that calls a tiny image while transmitting some data about a web site’s visitors) was not the problem. The problem was the existence of persistent cookies. I won’t go into detail about how the cookies got there, or if they were actually set by the White House website, but basically these little text files that are stored on your computer are quite controversial to some. I’ll just offer this:

Relax. What’s the big deal?

I feel there is this strange perception of what is private and what is not with respect to different mediums. Consider this: whenever you use your credit card, you are tracked by the store, and the credit card company. Banks especially, know if your credit card usage is out of your “norm” and will contact you. Yet, no one complains about that. Similarly, cell phones today have GPS functionality. Yet no one seems to raise a fuss about being located by the phone company. And those close circuit cameras around your offices? No worries. But when it comes to web surfing, it’s a whole different ball of wax.

For some, web usage must remain secret, and completely private. You’d think they were spies, deleting their caches and flushing their cookies after every surf-session. I think the public has to accept that anytime technology is in between you and the person you are trying to communicate with, there is a risk of information theft. Have you secured your WiFi connection? Chew on that for a bit.

Blocking cookies? Pointless.

There is a misconception that deleting or blocking cookies will make you disappear from web analysts’ and Big Brother’s radars. News Flash: You’re just fudging up the numbers. Outside of using public computers, where I totally condone deleting cookies since people might login as you if you’re not careful, I don’t see the point. With respect to Google Analytics (GA) alone, even if you were to block cookies, web analysts still have your IP, screen resolution, browser make, and a myriad of other stats. The cookie is just a small part of the equation.

The anatomy of the Google Analytics cookie system

Upon closer inspection of the GA cookies you’ll notice that the GA cookies actually don’t contain a great deal of information about you. Basically, they only contain:

• A unique number identifying your session


• A Google Analytics account number that identifies the web bug account


• A cookie that refreshes every 30 minutes with no real information in it


• One persistant cookie with no real information in it

By blocking these cookies, you successfully do the following:

• Increase the number of “Unique Visitors” reported


• Reduce the number of return visitors reported

That’s pretty much it really. (See for yourself with Stéphane Hamel’s WASP application.)

NOTE. Yes, I know 3rd-party cookies are still borderline in terms of privacy. I’m talking about 1st-party cookies here. But thanks.

Most cookie usage is not evil

Another argument I hear is that some users don’t want customized content, or they don’t want to let marketers into their heads because they find marketers “evil”. Contrary to popular believe, marketing isn’t evil. At the heart of marketing (and most web analytics) is the attempt to discover a need or want within a market segment (or to find a new market segment completely) and satisfy them. That’s it. Marketers simply want to figure out what you want and give it to you (I know, crazy concept). If you don’t like what they’re offering, ignore them (which many of us already do), and market forces will do away with them eventually.

Other methods to maintain your privacy

So, deleting/rejecting cookies isn’t the holy grail of privacy. What is a privacy-nut to do then? Here are my tips for those who wish to drop off the map:

• Delete your: Facebook, MySpace, LinkedIn and Twitter accounts as well as your blogs and personal websites. Get your personal information off of there - those are prime targets for identity theft, which is much more serious than your surfing history. Try doing a serach on Piple to see what I mean.


• Always use a web proxy you created to hide your IP. Don’t trust anyone else’s proxy but your own.


• Never use WiFi, especially don’t do online banking via wireless.


• Never use, Hotmail, or Gmail. In fact, don’t use mail at all.


• Don’t use a cell phone (iPhones included, dear lord, especially not iPhones)


• Don’t use satellite TV.


• Burn your garbage. Why hack cookies when I can simply pick out your bank statements from the trash?

Essentially, disconnect from the wired world altogether. Or…. accept the reality of the web, that ANY information you put into it is somewhat vulnerable (so be careful about what you publish) and know that cookies aren’t that big a threat, and are definitely the least of your worries.

What are your thoughts about cookies and privacy?

(Thanks to Jacqueline Ng, Stéphane Hamel, Adrian Liem and my classmates at UBC for the great conversation and feedback.)