Cookies & Advertising Networks
What is a Cookie?
What is an Advertising Network?
Here is an example illustrating the interaction with an advertising network. Suppose a user visits the website www.a.com and gets back an HTML page that contains a URL for an ad on www.ads.com, an advertising network website. Besides returning an ad, www.ads.com will send a cookie to the user's browser, which the browser will return to the advertising network with every visit to www.ads.com.
The advertising network's awareness of the ads shown to a user spans all the websites affiliated with the advertising network. This is possible because the "ad" cookies come from the advertising network, not from the individual websites visited by the user,
The same caveats apply to the cookies from an advertising network as those that apply to other cookies. That is, if a user does not disclose personal information at any of the websites using the advertising network, the advertising network will not know who the user is, although it can assemble a portrait of the user. The portrait could comprise information about the websites visited and the pages seen by the user.
The Internet Engineering Task Force (IETF) standardization effort for cookies led to specification RFC 2965, titled HTTP State Management. RFC 2965 pays special attention to third-party cookies, the kind that advertising networks use, for example, and calls the transactions that give rise to them ``unverifiable transactions.'' The cookie is "third-party" because it came from a site other than the one originally contacted by the user.
The reason the transactions are called ``unverifiable'' relates to the way the user experiences them. When a user clicks on a link for the website www.a.com, the user will not be surprised to get a cookie from www.a.com. But many users will be surprised if, while waiting for content to arrive from www.a.com, they get cookies from a different website, say www.ads.com. Since most browsers tell the user what site will be contacted if the user clicks on a link that the user's mouse is placed over, the user can verify which site will be contacted. But because automatic image loading is usually enabled, and because a user cannot preview the site that the browser will contact to download an ad before it actually does so, the ad-loading transaction is unverifiable.
RFC 2965 calls for special handling of cookies that arrive during an unverifiable transaction if they come from a server different from the one originally contacted. In the above example, cookies that arrive along with images from www.a.com would be okay, even though the user could not verify the image-load. The RFC says browsers must, by default, disable cookies in unverifiable transactions, although browsers may provide an option to enable them.
As written, RFC 2965 would impede the way some advertising networks now work. The RFC did not set out with that aim, but it evolved while advertising networks were just forming. More recently, advertisers have explored coupling Platform for Privacy Preferences (P3P) information to the uses of third-party cookies, so the privacy intentions of the cookie sender can be described automatically.
Where Can I Find More Information?
David M. Kristol, firstname.lastname@example.org