Upon reading the news of the recently passed UK bill which will require websites to get visitor consent to use cookies, I broke out into a cold sweat.  As a web professional who has created many websites and who manages about a dozen for our indie inspirational media studio, the economic implications of the bureaucratic workload this mandate creates is painful to consider – as it is for millions of other companies.  However, the straw breaking the backs of our already loaded schedules is minor compared to deeper injuries to our collective progress.  I write this article as a plea not to succumb to this privacy paranoia, born of ignorance, and fuelled by media sensationalism combined with personal fears about the skeletons in our browser’s closet – lest we destroy the technological progress we have painstakingly made and move closer to a less open and more corporate dominated internet.

We’ve been led to believe that “cookies” are responsible for all the evils of personal information leakage, but the cookie has been wrongly accused of being the monster.  Cookies are actual the benign by-product of another more geekish sounding technique.   The true culprit lies not in this other technique alone but in it being leveraged in a way made possible by recent big business manoeuvres.  The largest of these happened in 2007, not long before those eerily accurate banner adverts started appearing everywhere.

First, discard the myth that a cookie is some sort of active thing, like a virus.  It’s not.  A cookie is as impotent as a blank piece of paper.  Cookies don’t track you by themselves.   In fact, cookies cannot do anything by themselves.  Banning cookies for what has happened with advertiser excesses is like forbidding blank CD-Rs when in 2011 millions of medical records were lost by the NHS.  A cookie is nothing more than a clean slate where a website’s code can store something, anything, temporarily, and you want this, in fact, you need this.

Why?  Websites without cookies are really dumb.  They have zero short term memory.  In the industry, we say they are “stateless”.   You can’t have a website which you log in to because the page that loads after you click “log in” will have forgotten that it’s you.  This means no forums, no Facebook, no Twitter, no Amazon, no shopping carts, no Inst-a-gram, no sharing.  Wikipedia would stop evolving and begin to gather dust like grandpa’s old encyclopaedia set.  Cookies bridge the gap.  Without them, websites which do stuff rather than just show stuff would not exist.

So how is it that we can do a little window shopping on Amazon and then see that very same product black-magically appear on some random blog we visit? The actual cause is that most websites have lots of little windows or “frames” onto other third party websites.  That ad banner you see is often not controlled by the website you are visiting but instead is just a window onto an entirely different website.

The technique is called a Cross Site Request or CSR, and it makes a lot of the interactivity of modern websites possible by outsourcing complex features to existing third party services.  These include things such as commenting (e.g. Disqus), sharing (Facebook “like” buttons), visitor statistics tracking (Google Analytics) and advertisements (AdSense, DoubleClick).  When your web browser peers into these 3^rd party sites through the frame, it’s like you are visiting them explicitly and they may set their own cookies and track which browser you use and a few other benign pieces of technical information.  This by itself also is not cause for concern.  Web browsers, for privacy reasons, forbid each of these “frames” from communicating and sharing cookies with the others.

The real culprit behind privacy concerns and the reason for these frightening déjà-vu adverts is that recent years have seen a huge amalgamation of once independent advertising networks such as the controversial merger of Google with online ad giant DoubleClick in 2007.  Now many websites, from the big boys like Amazon to small time bloggers trying to earn a living, are all signed up to the same network.  They all have little frames onto the same DoubleClick computer network.  So when you see the digital camera you just checked out on Amazon suddenly show up on some-new-blog.com, it’s not that they all have been talking about you behind your back, they all just have frames onto the same DoubleClick website.

DoubleClick knows that some-new-blog.com is all about nature, so now it knows that you probably like taking pictures of nature.  This might begin to sound spooky, but is it really a problem?  So what if they use my information to show me something I might actually care about rather than a beer advert when I don’t drink, or a BMW advert when I prefer Lexus?  If you are worried about those late night browsing sessions or spoiling your holiday surprise for your hubby, then just get yourself Google Chrome and use Incognito Mode, problem solved!

The thing to realise is that these advertising companies don’t actually care who you are.  They only care about trends of behaviour as relevant to your shopping interests.  They have no interest in burdening their expensive infrastructure and maintaining the legal hornets’ nest that is a database with private information. In short, they are interested in recognising you not identifying you.

The law already prevents websites and anyone else from sharing information that personally identifies you.  If some-new-blog.com has a forum in which you’ve entered your name, age, phone number, credit card details, deepest fears, and unguarded summer home address, they are not allowed to share this information with DoubleClick without your express consent (you did read that fine print didn’t you?).

In reality, it’s not advertisers we fear.  We’re afraid of the Orwellian inclination that seems inherent in some government practices.  The Occupy / Twitter scandals, when police subpoenaed users’ feeds, fuelled this paranoia.   Did you know that the information they requested was public anyway?  The subpoenas were an intimidation tactic.

What’s the solution to all of this?  First, know there is no technical solution.  Discouraging cookies or any other technique is like restricting iPods to curb piracy.  With websites, if you want them to actually do something, then the same technology that allows you to log in or upload a photo to your pin board can be used to track that you looked at a new camera, or visited a dating site, provided that the related sites all use “frames” onto a ubiquitous 3^rd party service.

I offer two solutions.  The first is just to stop worrying.  Learn how to clear your cookies and history  and do it once in a while if you feel the need (I never do, unless I’m testing something).  Use browsers’ “incognito”or “private browsing” modes if you want to hide your footprints from others who use the same computer.  If you are mega-paranoid about your James Bond lifestyle then read up on the free Tor Project.  But you probably shouldn’t be.  Let’s get real for a minute:  For 99.99% of us, our privacy is protected simply by the fact that we don’t actually do anything that interests the world at large or the powers that be!

The second solution is for us collectively to start paying more for content and online services.

There is an expression: “If you aren’t paying for the product then you are the product”.  Hugely popular online services have huge running costs and advertising is currently the most viable strategy to pay for them.  This is because as soon as they begin to charge at the door, everyone leaves.  We are the victims of our own stinginess and something-for-nothing entitlement mentality.

Whatever you do, don’t succumb to the formula that, consciously or unconsciously, is at play:   Step 1: Make public afraid.  Step 2: Use fear to get laws passed restricting public freedom.  Step 3: Repeat.  The more bureaucracy and overhead we add to launching an online idea, the more the internet will become solely the domain of big businesses and if you think the attempts to turn you into a commodity are bad now, just wait until then.

In Brief: Why We Should Eat Our Internet Cookies and Like It

• Cookies nothing more than a piece of paper with writing on it.  They can’t do anything on their own.
• Tracking your browsing behaviour is made possible by lots of separate sites having “frames” that peer into a single 3^rd site like advert server DoubleClick
• In 2007, Google merged with DoubleClick amidst concerns about competition and privacy.  Since then, DoubleClick is almost ubiquitous amongst websites serving adverts.
• This means that something you view on Amazon might turn up as banner on a small independent blog.  The blog itself has no idea about the particular advert or your preferences
• Existing laws already prevent sharing of information that can personally identify you as in your name, NI number, address, etc without your consent
• Advertising companies don’t want the legal burden of storing your actual identity.  They don’t want to identify you, just recognise you between different website views
• One solution is to start paying for free services like Facebook so that they are less dependent on advertising and therefore behaviour tracking for their revenue
• Creating technological hurdles damages business, especially small ones, and makes the internet less open to new ideas emerging