A Not-So-New Way to Recognize and Track Users Without Cookies

9 July 2020
735
0
Reading: 6 min

A Not-So-New Way to Recognize and Track Users Without Cookies

Web marketers have relied on third-party cookies to track website visitors for over 25 years. One problem with cookie technology is security concerns: hackers can easily intercept users’ data to hijack their accounts if the browser sends cookies over unencrypted connections. As the number of account hijacking cases is growing over time, the flaws of browser cookies are sparking an ongoing controversy about this technology. To respond to these concerns, modern web browsers started a crusade against cookies, resulting in browser-level blocking, third-party ad-blocking apps, and stricter regulations. Now, cookie technology is gradually being phased out by browsers and governments alike. However, marketers still need to carve out a way to identify individual users and track website visitors’ data. Today, we are going to break down one method of user recognition without using cookies. So, let’s get started.

The demise of cookies

The role of cookies in user tracking has always been widely discussed and debated. In essence, the technology itself is very convenient: the user authentication model based on cookies gives users the convenience of not having to enter login credentials every time they revisit a website. However, it is not always clear how and by whom this information is used. In 2018, the EU revised its personal data protection laws. The GDPR places more responsibility on businesses to protect the personal data and privacy of EU citizens. Against this backdrop, many web platforms are now moving away from cookies. On the one hand, this is yet another step towards more privacy-focused internet. On the other hand, the recent updates compromise the core functionality of many websites, the economic ecosystem of the internet, and digital analytics.

However, cookies are not the only tool for data storage and tracking. There are more web technologies available.

The role of web caching

A web cache’s primary purpose is to increase data retrieval performance by eliminating the need to access the underlying storage layer. How does caching work? Your web browser remembers pages visited so the next time you come back to the same website, it will load faster. So, web caching helps reduce server load and accelerates content delivery. For example, if you visit a web page for the second time, the server does not have to send it again because the browser has remembered it for you. The page is displayed from the browser cache the moment you open it.

ETags are part of HTTP, the protocol which communicates information from server to browser. ETags are IDs attached to every webpage file delivered by a server. This is how the server finds out whether the user has cached the newest version of the page. ETags serve a useful purpose by speeding up website performance and reducing server load. No additional configuration is required, the technology is supported on all web platforms.

Here is an example:

Day 1. User hits a website for the first time. There is no ETag in the request. Then, the site is sent back by the server with ETag555 and is cached on the local device.

Day 2. The user visits the same website once again. The ETag555 has already been enabled. The server determines whether the resource has changed. If the current ETag on the server matches the one the browser has stored, the server will respond with a “not changed” message. The browser can then simply use the site that was cached on Day 1.

Take a look at this website and click through the three pages. You will notice that the ID remains the same. Then, reset your computer and repeat the same steps the next day. The ID is not going to change. The website doesn’t drop any cookies, and you won’t find any dubious query strings in the URL. Still, it is possible find out which device you were on when visiting this resource.

Cache and user data

ETags can also be used for user tracking and recognition. Let’s analyze the website we have discussed above:

  • it’s a simple three-page website;
  • the same iFrame is embedded in each of the pages;
  • when the iFrame resource is requested, PHP is generating a random ID on the server side. This unique ID is used to override ETag ID for the iFrame, which is usually issued automatically by the server;
  • whenever a user clicks on one of the pages, ETag is included in the request and is checked on the server;
  • if ETag exists, it means that the site was hit by a returning visitor. A new ID is created for each new visitor.

ETag ID gets into the analytics in the following way: the ID from the request/response is printed in the iFrame on the server side. Now, this iFrame contains the user’s ID. This ID is then taken from there on the website visitor’s side via JavaScript and included in the analytics tracking request instead of a cookie ID.

A Not-So-New Way to Recognize and Track Users Without Cookies

How to protect your data from ETag tracking

There are a couple of ways to prevent ETag tracking:

  • Disable cache in the browser. This is not the best option, but it works. Note that cashing has a lot of advantages and helps to accelerate web page content delivery. If you disable caching, it’s possible that website load time will increase.
  • Modify headers with a browser add-on. Most browsers do not allow you to modify headers, but there are plenty of extensions available such as ModHeader. Files are stored on the user’s side, and the browser requests them from a cache when a website is revisited. The If-None-Match string is added to the request. If the user overrides the If-None-Match header to be blank on each request, a new ETag value will be generated every time the user requests a page, which renders it impossible to identify their device.

A Not-So-New Way to Recognize and Track Users Without Cookies

Conclusion

How the ETag technology is used depends entirely on one’s intentions. It is important to be aware that there are other user tracking options available in addition to cookies and put this knowledge to practice honestly and transparently. However, this is not always the case.

There are a number of instances where ETags were used illegitimately, and this is likely to happen again in the months and years to come. A lot of businesses and organizations are quite vague about how they use ETags. Let’s analyze this in more detail on the example of Wendy’s company. The organization’s privacy policy states that “ETag tracking may generate unique tracking values even where the consumer blocks HTTP, Flash, and/or HTML5 cookies.” There is nothing illegal about that, and after the company’s privacy team was asked to comment on this issue, they confirmed that Wendy doesn’t use ETags to track user behavior. However, the privacy policy is open to various interpretations, and this is potentially troublesome.

A Not-So-New Way to Recognize and Track Users Without Cookies

Lack of transparency about data transfer is what lead to the inevitable demise of cookies. The user obviously doesn’t want to feel vulnerable, while dishonest policies lead to public mistrust and even hamper technological development. We can only hope that the inappropriate use of technologies will be dealt with one day.

Have a story to tell about traffic arbitrage?
Become a ZorbasMedia contributor!
Become an author