Cookies

Cookies
– unlimited user tracking across the web
by Karsten Rendemann,
cookieinformation.dk
Held at EAAA on January 28th, 2016
References
1. Author of the ‘Technical Guide’ – part of Cookievejledningen
2. Advisor to DI regarding GDPA (Persondataforordningen)
3. Deliver the cookie declaration on 1,000 websites
Deliver data to many media
What is a cookie?
A cookie is data (text or binary data) that is
- received from a domain,
- stored in the browser and
- send data back to that same domain.
Cookies – is actually ‘Cookies and other tracking technologies’ like:
HTTP- and Javascript cookies, HTML5, Local Storage, Flash Local Shared
Object, Silverlight Isolated Storage, web beacons, pixel tags etc.
Can be loaded from any element on any page of a website
- The CMS-system, scripts, photos, forms etc, …
Where can I see a cookie?
- even in a gif
Google Chrome: Right click on mouse, ‘Examine’, ‘Resources’, ‘Cookies’
1. Name
2. Value - ‘yes/No’, a time stamp,
encrypted ID
3. A domain that receive the data
4. A duration
Can be connected with your IP address,
where you are (GPS), who you are (via
login on social media), etc.
Purposes of cookies
1
2
3
4
NECESSARY
Necessary cookies help make a website usable by
enabling basic functions like page navigation and access
to secure areas of the website. The website cannot
function properly without these cookies.
PREFERENCES
Preference cookies enable a website to remember
information that changes the way the website behaves
or looks, like your preferred language or the region that
you are in.
STATISTICS
Statistic cookies help website owners to understand how
visitors interact with websites by collecting and reporting
information anonymously.
MARKETING
Marketing cookies are used to track visitors across
websites. The intention is to display ads that are relevant
and engaging for the individual user and thereby more
valuable for publishers and third party advertisers.
So what is a cookie declaration?
What if I look for cookies on eaaa.dk?
Different methods – varying quality
Google
What are data used for?
- collected about users using eaaa.dk
• ” Preserves users states across page requests.
• ”Registers a unique ID that is used to generate statistical data on how the
visitor uses the website.
• ”Optimises ad display based on the user's movement and various advertisers
bids for displaying user ads.”
• ”Used by Google AdSense to register and report the website user's actions
after viewing or clicking one of the advertiser's ads with the purpose of
measuring the efficacy of an ad and to present targeted ads to the user.”
• Registers a unique user ID that recognises the user's browser when visiting
websites that show ads from Adform. The purpose is to optimise display of ads
based on the user's movement combined with the ad bids placed by various
advertisers.
What are data used for?
- from eaaa.dk
• ”Bevarer brugertilstand på tværs af sideforespørgsler.”
Who receives data?
• ” Registrerer et unikt ID, der anvendes til at føre statistik over hvordan den
besøgende bruger hjemmesiden.”
- from eaaa.dk
• ”Optimerer visning af annoncer ud fra brugerens adfærd kombineret med
1.bud
adform.net,
forskellige annoncørers
på at vise annoncer for brugeren..”
2. doubleclick.net
• ” Anvendes af Google 3.
AdSense
til at registrere og rapportere om
youtube.com
hjemmesidebrugerens4.
handlinger
eaaa.dkefter at have set eller klikket på en af
annoncørens annoncer. Formålet er at måle effekten af en annonce samt at
målrette annoncer til brugeren.
• Registerer et unikt bruger-ID, som genkender brugerens browser ved besøg på
hjemmesider, der viser annoncer fra Adform. Formålet er at optimere visning af
annoncer ud fra brugerens adfærd kombineret med forskellige annoncørers
bud på at vise annoncer for brugeren.
Example:
Let us start with a script-tag which makes it possible to
track the user
The scriptet runs on all pages, sets a
tracking cookie and gather information
about the user
Every time the user does anything this is
sent to the 3. party who can record it via a
unique user ID
Information about each page URL,
referrer URL, geograhy, browser and
device is automatically captured.
Data about the user is recorded across
ANY device and MULTIPLE websites
It is easy to track events
from both iOS and Android
mobile applications
The user ID of each of the users devices
are associated and creates an aggregated
user profile
Live recording:
Tracking of a user across multiple websites and multiple devices
Some makes a semantic analysis of each page url,
so they know what the text is about
Each page is then analyzed to create Content Profiles with information from Tags and
free text incl author, people, places, companies and sometimes combined with 3.
party data
This one particular application track
more than one billion (1.000.000.000)
active user profiles based on more than
12 billion unique user IDs
Example user profile:
Long term interests, intentions, context, key words, segments, categories and event
stream
Why is this a problem?
• Price discrimination during on-line purchases
– Staples (Office supply)
• Women are exposed to fewer adds for high
salary jobs
• Adds on your screen reflects what others
expect that you are interested in
– Also at school and at your job
From script to add
When you go to another website an ad tag
associates to you and checks which segments
you belong to.
The System respond with a list
of segments.
The Ad tag sends the segment
information to the ad server and finds
a matching add.
Demo: How a man will see a campaign targeted to men
Demo: A woman will see an add targeted to women
Various performance data are logged
They can be used to
targeted
recommendations …
… and targeted offers
Look alike modelling:
How it is spread to others with the
same profile as me
Data from 3. parties can be used
e.g. Social Media, questionaires
etc.
And then the adds can be
displayed to all similar people
Syndication – data sharing
• Many data are shared across
100s of partners
Nogle af LiveRamps 200 partnere
Has also cookies placed on e.g.
www.digst.dk
“LiveRamp (Cxense subsidiary)
is the leader in data connectivity,
helping the world’s largest brands use their
data to improve customer interactions on any
channel and device.
LiveRamp help marketers eliminate data silos
and unlock greater value from the tools they
use every day. By connecting disparate
marketing platforms at the data layer, we
enable brands to use new generation of datadriven marketing strategies for
ROI measurement, targeting, one-to-one
marketing, and more.
On 40% of all cities’ websites
How did cookies get on eaaa.dk?
You ALWAYS do something yourself.
Eaaa.dk line 313-323, adform script
Beware of free scripts like AddThis
Free scripts often get the browser to visit various domains in
the background. Up to 23 is documented.
Example:
Initiator: Script tag, kildetekst line number 493:
http://player.qbrick.com/playerembed.js
The users browser is then directed to:
http://dpm.demdex.net/id?d_rtbd=json&d_ver=2&d_orgid=B58F1CFE533095470A
490D45%40AdobeOrg&d_cb=s_c_il%5B0%5D._setMarketingCloudFields
From where the cookie demdex is set.
Purpose: Via a unique ID used for semantic analysis of content, the users
navigation on the website is registred and associated with offline data from surveys
and others with the objective of delivering targetted advertising.
What does the law say?
• New General Data Protection Regulation
(Persondataforordning) as of eof 2017
1. Data handler responsibility for 3. party cookies
2. Documentation
3. Fine - €20 mio or 4% of turn over
• Cookielaw (already existing)
1. Examine your website
2. Remove unwanted cookies
3. Declare cookies and get Consent
Commercial benefits
AND IT’S ABOUT
TRUST
= PREDICTABILITY
= CORRELATION BETWEEN WHAT YOU WRITE
AND WHAT YOU DO
TO YOU AND YOUR WEBSITE
HOW TO ACHIEVE COMPLIANCE
1
COOKIE SCREENING
Identify all cookies
Produce documentation
Find all cookies from all 3. parties
- Our scanner analyse all pages pretending to be a user in all the ways that can result in cookies
being set: various screen sized, operating systems, browsers etc.
Documentation
Domain name of data receipient
Date for screening (36% of cookies change every month)
Name of each cookie
Name of the 3. party that receive data
Explain with the 3. party use the data for
Duration of the cookie in the users browser
1
COOKIE SCREENING
Identify all cookies
Produce documentation
2
DECLARATION
AND CONSENT
Add a true Cookie Declaration
Describe usage
Update banner
1
COOKIE SCREENING
Identify all cookies
Produce documentation
2
DECLARATION
AND CONSENT
Add a true Cookie Declaration
Describe usage
Update banner
Change the text on the cookie banner
- Make it reflect what cookies are truly set
- Before eof 2017: make it withhold 3. party cookies until consent is given
1
COOKIE SCREENING
Identify all cookies
Produce documentation
2
DECLARATION
AND CONSENT
Add a true Cookie Declaration
Describe usage
Update banner
3
REMOVE UNWANTED
COOKIES
Remove the scripts that set
unwanted cookies.
1
COOKIE SCREENING
Identify all cookies
Produce documentation
2
DECLARATION
AND CONSENT
Add a true Cookie Declaration
Describe usage
Update banner
3
REMOVE UNWANTED
COOKIES
Færdig kode
Alle sprog
Individuelt branded
4
KEEP UPDATED
Monthly 36% of all cookies change
1
COOKIE SCREENING
Identify all cookies
Produce documentation
2
DECLARATION
AND CONSENT
Add a true Cookie Declaration
Describe usage
Update banner
3
REMOVE UNWANTED
COOKIES
Færdig kode
Alle sprog
Individuelt branded
4
KEEP UPDATED
Monthly 36% of all cookies change
WEB PORTFOLIO
Cover all domains, subdomains
and login-areas
Also w/wo www, http(s)
5
Questions?