What is a cookie?

Just this year, my children's school banned Pokémon cards and mangas. It’s funny. When I was a kid, my school banned mangas, too. And pogs! How things always do come full circle.

Now the problem with school is pretty apparent. It doesn’t matter whether it’s Pokémon cards, pogs or fidget spinners. You cannot ban the root cause, which is kids being kids. I have four boys. Trust me, they'll fight over pieces of bamboo and plastic bottles. So authorities are stuck playing Whac-a-Mole‘s with arbitrary bans when things start to go sideways... until the next fad.

This is how I see the European Union's struggle with cookies: a more or less futile exercise to control the technology means rather than the root cause. Advertising companies and data brokers need to sell people's information. If not cookies, something else.

But how have we got there in the first place? Why all the cookie craze? What are cookies? Or rather, can we have a non-B.S. explanation of what are cookies? Here I am. Cookies explained like you're five.

In this week's issue, I will explain:

• what cookies are from a technology point of view,
• how they’ve become to symbolize user tracking,
• how cookie banners should be improved actually to protect people.

But first, why is it called cookies?

The Technology of Cookies

Cookie is derived from the programmer slang of 'magic cookie' which in turn comes from 'fortune cookies'. Like the famous desert, a 'cookie' holds a tiny piece of information. What type of information? Most times, cookies carry opaque information. Here's an example from a gaming website where I created a free account with a burner email address:

SSID: AP8dLtz_WKY8S3uFjVFLfiJ550pMB_LEyQr-EHRb-SVip4buKCznFgeDxDcwzBiCdUlNdqm1WmR

I changed some of the values, but you get the idea. This cookie is what the games service uses to remind itself I am the user I registered with.

That’s a good start to understand how cookies work. A web server is in essence stateless. By 'stateless', I mean that the server doesn’t know who it is talking to. Let's look at a diagram.

Netflix can be seen as a single server that...eee... serves millions of people watching different shows simultaneously. Netflix doesn’t know who is watching what because it just streams movies. However, you don't want to receive bits of Too Hot to Handle from your neighbours, so Netflix has to remember who is watching to actually show the movie to the good person. Enter cookies.

Netflix servers send a cookie to your browser, mobile device, or TV. The information is stored in the application you use for watching, which is called the client. The server needs that information because otherwise, it doesn’t know who it is talking to!

How to check my cookies?

The easiest way on Google Chrome is to hit F12. In most other browsers, right-click and select "Inspect Element". This will take you to the developer tools of your browser. Go to "Application", you should see the cookies:

He leaked a cookie! Yes, but here's the thing: I scrambled the values. Based on this screenshot, you can learn 2 lessons:

1. That free games website makes money through advertising, and it uses a lot of third-party tracking cookies (more on that later)
2. Yes, you can modify cookies in your browser!

If the server did not implement correct security measures, a user could tamper with cookies and alter the behaviour of an application in unexpected ways. Imagine somehow changing your identity to that of your neighbour! This serious flaw is called broken authentication and can yield large bug bounties if you find them!  

Tracking Cookies

As you've seen in the image above, cookies are not merely used to keep track of your session. Turns out that having information about the user is quite valuable! Keen observers likely found out I was playing a crossword puzzle, for example. Looking at the list of different cookies, one also notices the presence of 3rd party cookies.

What is a 3rd party cookie? It's a cookie set by the server on behalf of another domain. Here, the foreign domains are for example pubmatic.com. So what happens here is Pubmatic distributes its code (which contains, say, ads banners) to its customers (the gaming website) that either:

1. Sets a cookie in your browser
2. Reads the cookie you already have.

Allowing it to build a profile of your browsing habits to better show you ads.

Funny fact: I was surprised Pubmatic was able to plant a cookie despite me using 2 layers of adblockers in my browser. Turns out Pubmatic is in GDPR crossfire for waiting only for 497 milliseconds for the user to grant consent to tracking.

This story shows why European courts struck ad tech and data brokers with cookie restrictions. Ad companies like Pubmatic don't really provide a benefit to the end users, yet they know a lot about our browsing habits.

And then there is the law.

Why cookie banners are so terrible and how to fix them

We are stuck with the dreaded cookie consent banners due primarily to the EU's ePrivacy Directive and, to some extent, the General Data Protection Regulation (GDPR). Lawmakers determined that a cookie in your browser could identify you and therefore websites must get your explicit consent to plant them.

There are two fundamental problems with the approach.

1. Cookies are actually useful and necessary. Did you ever read the cookie consent banners? Websites do an arcane classification of them: functional, strictly necessary, etc. The cognitive load they impose on people is overbearing."See, cookies are good, except those that can be evil, yet not evil because we've put them in our privacy policy."
2. The consent keeps getting buried in legal mumbo jumbo. They say an image is worth a thousand words, so here it is, from The Guardian:

By the way, read "legitimate interest" as "making money" and everything becomes clear. Replace "cookies" with "we are tracking you using technology means" and suddenly you speak plain language, and everybody can forget about cookies and the weird classification.

What irritates me the most is that there is a way to do this that does not suck. Look:

We can question OpenAI about its GDPR practices, but at least the non-bullshit warning you get when you sign in is readable by actual humans. Remember that New York Times story that identified reading an average Privacy Policy requires more cognitive resources than the Critique of Pure Reason by Emmanuel Kant.

Cookies, from a privacy perspective, are an artifice. French poet Alfred Musset famously wrote: "What matters the jug, if drunkenness be within?" Cookies are the jug here.

Meanwhile, I highly recommend Consent-O-Matic to watch it crush the dark patterns of even the most obtrusive cookie banners. Because I guess just like our kids with their mangas, we can't have nice things until someone ruins them for everyone.

❓ Question of the Week

What did your school ban that, in insight, was completely absurd?