Adequate levels of consent and notification is subject to what a company and vendor decide is sufficient enough to meet the requirements of governmental regulations. It is solely my opinion that cookie consent is insufficient for the proper notification and tracking of user actions.
Hello! My name’s Benjamin Anderson and I’m currently working on my thesis for the fulfillment of the requirements for the degree of Master of Science in Data Science.
With the guidelines I’ve been given, there are three approaches I can take when writing my thesis:
A client-based project, where I have to work in conjunction with a client of some sort. Usually this is an employer through an internship that can be paid or unpaid.
A business plan project involves identifying goals, objectives, and products of the proposed organization.
Or a case study involving the historical development or evolution of a topic, concept, business, or industry.
My proposed topic involves the technologies used in the privacy industry and governmental regulation. I’ve already worked and consulted with some of the more prominent privacy vendors in the industry, discussing how they manage consumer consent, and proposing a different, more accurate, approach (in conjunction with their existing methods) to giving the consumer a more informed approach. My goal was to make my thesis a client-based project and assist vendors; ultimately my ideas were rejected. It’s been about 2 years since my initial outreach and things have not changed.
Now my goal is to inform consumers on how they’re being tracked on the web and in mobile applications. I’m going to follow the business plan project format as it’ll allow me to propose my augmentation to the antiquated approaches consent management vendors utilize.
In the past, cookies were the definitive way to track users, and still are to an extent. Cookies store information that the browser can save. Cookies dropped by the website or components the website runs or owns are called “first-party” cookies. All major browsers respond to and allow the reading of first-party cookies. Cookies dropped by a third-party, a vendor, something the site does not own are called “third-party” scripts – these are deprecated by all major browsers and even completely disabled by Apple’s Safari.
There are other tactics to tracking users with first-party cookies, even without them ever noticing they’re being tracked. Two common approaches include “tracking pixels” through server-side image rendering and redirect tracking. I’m going to demo the latter.
Now I want to emphasize that redirecting to drop a cookie isn’t always used for tracking purposes. Many companies use this approach for a “Single-Signon” solution – login in one form logs you in across all services. Google uses a similar approach by logging you into Gmail and YouTube when you sign in on their homepage.
Here you can see a rather plain website. It consists of a button and an iframe pixel to simulate what server-side cookie dropping. Usually a tracking pixel will be an image with 0x0 or 1x1 dimensions, so it doesn’t have any impact on the site rendering. I’ve commented out the gif as I’m using a simple webserver that can’t drop server-side cookies.
To the bottom right you’ll see two logs: one is from Service 1, the website we see now, the other is from Service 2, the website we’ll use redirect tracking to drop a unique ID. Currently we have no cookies on both websites.
In the code we can see a function to set a cookie, and an event listener on the button to generate a cookie, set it on Service 1, then redirect to Service 2, passing in the cookie id in a URL parameter.
Service 2 redirect.html reads the id parameter and drops a cookie on Service 2, then redirects to service 1. Usually a callback url is provided as a parameter, but for simplicity I have it hard-coded.
Service 2 index.html logs the cookie information that’s on the Service 2 website for debug purposes in the browser.
Please note that I’m using Google Chrome 84 and have third party cookies.
When we click the “login” button, we will:
- Drop a cookie
- Redirect to Service 2
- Have service 2 drop the same cookie name and value
- Redirect to service 1
- View the Cookies Inspector in the console and see that the cookies on Service 1 and 2 match
Here we go!
Just like that, you would never know that you were redirected to a different website and have your information tracked across services.
Existing vendor solutions do not capture these kinds of tracking methods. Paragraph 24 (2016/679) states that “the monitoring of the behavior of data subjects” ( the user ) is subject to the regulation, which requires the user’s consent ( paragraph 32 ). Sites that load vendor scripts that do not respect the “Do Not Track” header are in breach of GDPR and subject to lawsuit of up to 3% of the company’s revenue.
Fortunately, there is a solution to capturing these insights as well as providing companies information on where/what is causing them to be out of compliance: network monitoring. Network monitoring will capture these redirects and allow you to flag them. This, in conjunction with traditional cookie monitoring, will allow companies to provide their consumers the full scope of how their information is being processed and who is being shared with.
I’ll be posting video updates once a week and maybe a few written articles explaining how some of the technologies work internally.
Until next time!