
Visitor Tracking Without Cookies (or How To Abuse HTTP 301s) - jaynate
http://www.scatmania.org/2012/04/24/visitor-tracking-without-cookies/
======
paulsutter
The laws don't define cookies narrowly. Just because you're not using an http
set-cookie header doesn't mean you've circumvented privacy laws. For example,
UK law:

<http://www.aboutcookies.org/default.aspx?page=3>

6\. - (1) Subject to paragraph (4), a person shall not store or gain
information, or to gain access to information stored, in the terminal
equipment of a subscriber or user unless the requirements of paragraph (2) are
met.

(2) The requirements are that the subscriber or user of that terminal
equipment -

(a) is provided with clear and comprehensive information about the purposes of
the storage of, or access to, that information; and

(b) has given his or her consent.

~~~
rmc
Agreed, the new EU ePrivacy directive is not about "cookies" per se, but
storing and re-accessing data you store on people's computers. Cookies are the
main example of that, but it also applies to anything that can re-identify a
user.

~~~
blauwbilgorgel
In a sense the "Cookie law" is a confusing misnomer. Not only "cookies", but
also local storage, flash cookies, plugins, toolbars, and even resources like
images, HTML, CSS and JS fall under this law.

The Dutch minister spoke of (freely translated): "Everything that reads or
stores your data on your appliance, without permission, without a functional
goal other than tracking".

Some techniques like browser fingerprinting ( <https://panopticlick.eff.org/>
, but also possible with <http://modernizr.com/> ) don't store anything on
your appliance, but would still fall under the "reading your data from your
appliance" part of our law, if used for tracking purposes.

You would need permission to use the "grey" technique from the article. Even
if you were to store that data in aggregated form.

~~~
fkdjs
If I write a site that logs users in, I keep track of them merely by storing
their username in a database as well as a cookie value representing that they
are logged in, so do they need to accept terms before logging in?

~~~
rmc
There is often "implied consent" for storing local data that is strictly
necessary to perform an action that a user has initiated.

------
eli
The more common way to do this is to stuff data in the ETags or Last-Modified
date on a cacheable piece of content. This "hack" is at least a decade old, by
the way.

Kissmetrics was actually using it in the wild for a while, but I think they
stopped after there was a public outcry.

~~~
erichocean
It's so old it's even in Wikipedia:
<http://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags>

~~~
s_henry_paulson
Being in Wikipedia is rarely associated with something being "old"

------
tmister
See also evercookie <http://samy.pl/evercookie/>.

------
SquareWheel
Demo site appears down, but I get the gist of it. It's just abusing browser
caching.

Rather than a bunch of ad networks and analytics companies finding
workarounds, I'd rather sites just stand up to this obviously flawed rule.
It's ill thought out, and I have no plans to offer one of those annoying "Hey,
this site uses cookies, just like every other site on the internet!" alerts.

~~~
anonymouz
So in your opinion the flaw with the rule is that it violates your natural
right to store cookies on your visitors browsers without asking?

If your visitors have to log in you might as well show them such a message. If
they don't have to log in, there is probably also no reason for them to accept
your cookies.

While almost every site on the Internet uses cookies, most of them are of no
benefit to a visitor. And yes, technical solutions exist, but they are not
really suitable for a vast majority of the population that simply does not
know about cookies, and which cookies to accept.

~~~
SquareWheel
It's not a natural right, it's a technical right. It's a fundamental storage
mechanism of browsers. It means you don't have to log in every time you
browser to my site, or you don't have to enter your birthday every time you
want to browse mature content. It means advertisers are delivering the right
ads, and that site owners can see where the bounce rates are highest for users
and fix that page. Cookies are important, and the web functions better with
them enabled and accessible to site owners.

Personally, I get annoyed when I'm badgered by notices, and sometimes even
modal windows, for cookie notices. Of course your site uses cookies, it's just
like every other site on the web. I shouldn't have to agree to a notice every
time I visit a new domain. I have a browser toggle and if cookies offend me
for some reason I can disable them.

~~~
mattmanser
Technical right. Fantastic!

Look at what cookies websites actually store.

When you go to many sites there are a bunch of other people spying on you and
setting cookies that you didn't even know.

I don't agree with the implementation of this law, but I certainly agree with
its intent.

~~~
ZoFreX
No site can force you to set their cookies - you can simply turn that option
off in your browser. You can even whitelist just the sites you trust, or
blacklist just the sites you don't trust.

Not that you can really tell, anyway - it's impossible to know just by looking
at a cookie what it's really being used for, or what data on you is being
tracked. There are certainly good reasons to give cookies to users that have
not logged in yet, though - one example that springs to mind is a CSRF token.

Lastly, what is this meant to achieve? The aim is to crack down on activity
that was _already illegal_ before this law came in. Sites that were doing
naughty things and tracking users illegally aren't exactly going to stop
because they now have to show a notice about cookies. Before the law came in I
said "they'd just not bother showing the notice" but frankly, the could abide
by it - users would just click "yes" anyway out of habit!

------
patrickmay
This paper on browser fingerprinting shows that it is possible to identify a
particular user, with reasonably high reliability, without using cookies or
other tricks: <https://panopticlick.eff.org/browser-uniqueness.pdf>

------
ukjamster
I agree with paulsutter - this does not comply with the law, nor do any of the
hacky workarounds that I've seen mooted (except perhaps server side log file
analysis - old school). I've added a comment to that site, which is awaiting
moderation.

------
rhizome
Is it just me being perfectionist, or does needing to OCD your cookie data
down to census level indicate that maybe your business model needs a little
work? Are there certain niches where this degree of tracking is really
necessary?

------
mixedbit
Standard HTTP headers carry values that are distinct enough to uniquely
identify most visitors: <https://panopticlick.eff.org/>

~~~
ErikD
That uses mostly data collected clientside using javascript and flash. HTTP
headers alone are no way enough.

------
brianchu
Unless you want to get sued ([http://www.extremetech.com/internet/91966-aol-
spotify-gigaom...](http://www.extremetech.com/internet/91966-aol-spotify-
gigaom-etsy-kissmetrics-sued-over-undeletable-tracking-cookies)), I would
avoid doing this until the legal grey area surrounding non-cookie tracking is
resolved. I suppose you might be able to get a user to "agree" to this if you
have them agree to a ToS when they sign up, but even then I'm not too sure of
that.

------
d0m
The irony with the demo... "Passager, rails deployments that just works" with
a huge Error page showing security-sensitive stack traces.

------
16s
Ironic that the first thing that site does is try to set a cookie in my
browser. I denied it. Also, I have JavaScript turned off.

~~~
fooyc
How does the web look like from the 90's ?

~~~
16s
It looks like the Web without privacy snoops whoring out visitor clicks to the
highest bider.

------
sasoon
Why not just use localStorage instead of cookies?

~~~
wooptoo
Because localstorage may pop a message window on some browsers.

------
akaru
As others have mentioned, this is old news. And this site should really be
ignored as trash..."Scatman Dan"?

------
wooptoo
Can be done with ETags too.

