Cookies are the best way to track users. Or are they?
It’s not unusual for me to write about cookies. So I am going to continue doing so! Last week we had a web analytics Wednesday event where we looked at data and privacy issues which the poor chap who was presenting (Alan Meneghetti) must have wished he’d never turned up! He was from a company (Clyde and Co) that specialised in International law, however as we’ve seen in the past online, the law and what users want rarely match up. And in this case it looks like the users are revolting to pick their own standards because the Government won’t.
The trouble is, as I’ve talked about on my guest post at eConsultancy, the problem isn’t with the technology that is being used (it’s the opposite to the problem with those that like to torrent!), the problem is with the way that businesses use the technology to exploit the user. Users don’t like it. In the same way that I don’t like someone wandering around the shops behind me telling me that I tried on something similar in a shop earlier and I could go back there and buy it.
So without turning this post into another rant in a similar vein to the eConsultancy post (which had a series of recommendations I might add), I thought I should point out how futile the approach of blocking cookies is.
Browser cookies are currently the best way of tracking someone’s user behaviour. Or are they? Notoriously I already tell the people when I do my analytics training that you users are a fickle bunch. You:
- Delete cookies frequently
- Use different browsers (or even computers/devices)
- Use the same browser for multiple people
- Block cookies
They’re not very accurate. “Get over it.” I tell the people on the training. Unique users in web analytics tools do not equal people. They never have and never will. Treat them as such.
But are browser cookies currently the best way of tracking someone’s user behaviour? What happens if I could tie up your visits another way? How could I do that you ask? Well there have been ways that organisations have been doing it for a long time. The most simple of which has been to get you to login and use that information as the unique identifier.
This was the basis for Redeye when they ran their analysis many years ago on a website that users had to login to. They worked out that on average the number of users calculated was about twice the number of people over the space of a month if you used cookies. It was about seven times as high if you used User agent and IP address and this pretty much ended anyone using user agent and IP address as a measure of a person.
Add into this fact that you are probably logged in to Google all the time (and/or Microsoft or Yahoo!). Although they claim they don’t Google could quite easily link up what you were doing on all those websites that they have tracking code on by your Google login ID and then use that to do targeting on you. Microsoft on the now defunct Gatineau used the information in your MSN passport to give those websites with their tags more detailed demographic information.
Whilst you can’t see a big company doing something they shouldn’t really, I am sure there are enough companies out there that would want to exploit the users in the hope that they’ll make a small amount of money out it by having lots of tags on lots of site and allowing you to login once. Especially on an ad network.
User Agent and IP address
Controversially a company recently was caught using Flash cookies to resuscitate the browser cookie and allow them to continue tracking you even if you’d deliberately deleted your browser cookie to stop this happening. Flash cookies are computer dependent rather than browser dependent so they can allow you to monitor users from various different browsers (if they use them).
Flash cookies are far more hidden than browser cookies and so the average user won’t know how to delete them. This makes them far more dangerous, especially considering the proliferation of flash used in online advertising – 95% of the time you won’t know whose website you are connecting to, to get your content.
What would happen if it turned out that you could identify me by the way that I browsed? That’s a controversial subject that the psychologists have been debating for a long time. Maybe some people hold the mouse in a certain place on the screen, or they automatically run it over links. Some of us read at a similar sort of speed and use similar types of search terms to get to websites. There could be a whole host of unique behaviour that could identify us in a better way than user agent and IP address ever could.
All of these linked together
My new company (Adversitement) has recently just announced a new technology called ActCorrect. What it does is use an algorithm to link together visits using some or more of the above technologies (don’t ask me which ones, I didn’t do it!). We reckon it will allow you to track a visitor on a far more accurate level than ever before.
However as mentioned, this capability isn’t only as good as those who are using the data. We’ve been quite specific that we won’t use this technology to identify individuals and target them. The point of this technology is to get a better insight of the aggregated use of the website over time and a better handle on how well campaigns work and how the website is used. This information shouldn’t be used to identify individuals.
However it will only be a matter of time before a company comes up with something similar and then uses the technology for targeted, personal and real time advertising that users are going to see as an invasion of privacy. To stop this there is no point continuing the banning of useful technology. The process has to start with the Government creating laws that limit how you can use the data. What’s more, it has to happen fast.
The telephone sales industry has been forced to provide a clear message stating that they are going to record messages at the start of a phone call and for what purposes it is going to be used. Maybe we need it so that if you turn up at a website it tells you what it is going to do with your data (rather than asking for your permission to do so).