Cookies Detected by Anti-Spyware Programs: The Current Status
Benjamin Edelman - Sponsored by Clicks2Customers
[ Introduction | Significance | Methodology | Results | Revenue Effects | Anomalies | Alternatives | Conclusions ]
I test eleven anti-spyware programs for their treatment of cookies from 50 advertising systems. I report my observations in full detail, along with analysis of notable detections. For example, I find that PC Tools Spyware Doctor detects the most cookies from within my sample (50%), while cookies from Advertising.com, Aquantive/Atlas, Casale Media, FastClick, and MediaPlex are most often detected (each detected by 8 of the 11 anti-spyware programs tested). Conversion-tracking cookies from Yahoo Overture are widely detected (6/11), but no anti-spyware programs detects the corresponding Google cookies, perhaps because Google's cookies use arbitrary names that are hard for scanners to identify. I conclude by reporting some anomalies observed in testing, and by suggesting privacy-protective practices that may nonetheless accommodate typical advertiser objectives.
Which anti-spyware programs detect which cookies? The subject occasionally prompts discussion. (1, 2, 3) Several groups have surveyed users' views of cookies (Burst Media, InsightExpress, JupiterMedia, The Pew Internet & American Life Project, Ponemon / Revenue Science, and WebTrends), generally finding that 30%-60% of users say they distrust cookies and say they delete cookies at least occasionally. On this basis, eMarketer urged online marketers to convince users of cookies' benefits, and Safecount.org called for enabling accurate advertising measurement while protecting consumer privacy.
Despite these many cookie-related efforts, it seems there has been no detailed hands-on testing of which anti-spyware programs (a primary means by which users delete cookies) detect and delete which cookies. Program-by-program testing is widely used to compare anti-spyware programs' detection of spyware and other unwanted software (1, 2, 3), but it seems no such testing has been performed as to cookie detections. This piece reports the results of such testing.
The treatment of cookies by anti-spyware programs poses important practical questions. If, as some vendors and privacy advocates allege, cookies present serious privacy concerns, users ought to know which programs best protect them from this threat. Conversely, because deleting cookies interferes with certain advertising measurements and payments, online advertisers and their partners might reasonably want to know which cookies are being deleted -- for example, to adjust their payments to make up for commissions lost by cookie-deletion.
Even the absence of consensus deserves investigation. Where security companies look at the same facts but reach different conclusions, their differing decisions may inform analysis of what characteristics make (or don't make) a given practice objectionable to security experts.
to topAdvertisers' and Ad Networks' Perspective
Advertising systems use cookies for a mix of purposes, but primarily to track which users have seen which ads. Such tracking helps show ads more effectively -- e.g. by avoiding showing the same ad repeatedly to a single user. Such tracking also measurement of ad effectiveness -- to determine which ads yield purchases, and often to adjust payments accordingly.
While advertisers face significant design decisions in choosing exactly how to use cookies, cookies are the only clear method to track user behavior over an extended period (i.e. longer than a single browsing session). Without cookies, advertisers might not know which ads work best at getting new customers. Furthermore, sites that show ads might not be credited for all the customers they had sent to advertisers -- causing the sites to be underpaid. Hence the advertising industry's concern at the suggestion of users widely blocking or removing cookies.
Users' Perspective
Yet users have reasonable concerns, not entirely speculative, as to potential harms from cookies. Advertising systems serve multiple clients, so when an advertising system stores information in a cookie on a user's PC, that cookie generally includes information about the user's interaction with multiple ads for multiple merchants who share a common advertising system. Putting multiple pieces of information in a single cookie potentially lets the advertising system track the user's behavior across sites -- knowing that the user visited first one site, then another; and perhaps even knowing what, where, or how much the user purchased. Such detailed tracking often is not the advertising system's intent, and it's often beyond the advertising system's business plan, privacy policy, or operational code. But even the prospect of such tracking tends to alarm those who focus on online privacy.
Users' suspicion of cookies also arises out of certain characteristics of cookies' behavior. Whereas most files on users' disks are present because users put them there or because users installed software that put them there, cookies arrive on a users' disks merely because users visit web sites that place such cookies. The cookies' arrival actually reflects browsers and sites working as they were designed -- but to typical users, the appearance of these unrequested files seems anomalous. Users who attempt to investigate are stymied, in that cookies' contents are typically indecipherable. But users can readily determine that the cookies offer them no direct benefit. With the arrival of unrequested suspicious files offering users no direct benefit, it's no surprise that users are concerned. (The Wall Street Journal's Walt Mossberg echoed these concerns when he classified cookies as spyware.)
Users' fears about cookies become all the more prominent as users consider other online privacy risks, like identity theft and search engine data retention. Users may not be able to protect themselves from those other risks, but deleting cookies is easy, fast, and perhaps (users think) at least somewhat helpful. Hence the rise in users' deletion of cookies.
When anti-spyware programs scale back their detection of cookies, users often express substantial concern. For example, in a summer 2005 beta release, Sunbelt changed its default handling of cookies -- from detecting cookies by default, to ignoring them by default, albeit with a prominent checkbox to toggle detection. Sunbelt's Director of Malware Research reported "swift and immediate" complaints from vocal users, alleging a "sellout" and "betrayal." Whatever security experts' views of cookies, at least some users seem to expect cookies to be detected, and such users seem to demand that anti-spyware vendors include this capability.
to topI sought to test which anti-spyware programs detect and remove which cookies. I first formed a sample of 50 distinct advertising systems -- ad networks, affiliate networks, and pay-per-click conversion-tracking systems. These advertising systems ranged from huge (the $115 billion Google) to quite small (numerous lesser-known affiliate networks). I obtained a sample link for each ad system -- a link that, when clicked, creates whatever cookies that ad system uses.
I prepared a test computer (a virtual machine) running Windows XP Service Pack 2 with no relevant software that would interfere with web browsing or cookie placement. On that test PC, I clicked through each ad system's sample link. I used a packet sniffer to confirm that cookies were sent to my test PC from the respective web servers, and I browsed my PC's Cookies folder to confirm that these cookies were in fact created.
I used virtualization software to take a snapshot of my virtual PC after all cookies were created. This allowed me to install anti-spyware programs onto separate virtual machines to avoid any incompatibilities from running multiple security suites on a single (virtual) computer.
I then installed the latest free versions (often, trials) of each anti-spyware program listed below. I accepted each program's default settings, and I used each program's standard update procedure to obtain its latest detection database.
I ran a scan, using each program's default settings, and I noted which cookies were detected.
In subsequent sections, I report cookies flagged for possible (or, in one case, automatic) deletion. But even where an ad system's cookie has been deleted, it would be erroneous to conclude that ad systems inevitably failed to count any associated transaction. For example, some ad systems use multiple cookies -- often one set by the ad system, and another by the advertiser -- such that a transaction can be tracked even if the ad system's cookie is deleted, so long as the advertiser's cookie remains. Similarly, if cookie deletion is infrequent, then tracking will still occur as advertisers and ad systems intend. For example, if a user runs an anti-spyware scan that deletes cookies once a month, the user's cookies will correctly track advertising occurring throughout the each month, although it will fail to consider advertising from before the most recent scan.
to topThe tables below report the cookies detected by the respective scanners. An "x" marks a cookie that was detected.
Affiliate Networks
| Computer Associates PestPatrol | LavaSoft Ad-Aware | McAfee Internet Security Suite | Microsoft Windows Defender | PC Tools Spyware Doctor | Spybot Search & Destroy | Sunbelt CounterSpy | Symantec Norton Internet Security | Trend Micro Anti-Spyware | Webroot Spy Sweeper | ZoneAlarm Internet Security Suite | Unweighted % Detected | |
| Affiliate Future | 0/11 (0.0%) | |||||||||||
| AffiliateFuel | x | 1/11 (9.1%) | ||||||||||
| AffiliateWindow | 0/11 (0.0%) | |||||||||||
| Affilinet | 0/11 (0.0%) | |||||||||||
| AzoogleAds | x | x | 2/11 (18.2%) | |||||||||
| Clickbank | x | x | x | x | 4/11 (36.4%) | |||||||
| ClixGalore | 0/11 (0.0%) | |||||||||||
| Commission Junction | x | x | x | x | x | x | 6/11 (54.5%) | |||||
| Commission Junction (BeFree) | x | x | x | x | x | x | x | 7/11 (63.6%) | ||||
| Converseon | 0/11 (0.0%) | |||||||||||
| CPA Empire | 0/11 (0.0%) | |||||||||||
| Digital River (One Network) | 0/11 (0.0%) | |||||||||||
| Digital River (Regnow) | x | x | 2/11 (18.2%) | |||||||||
| Direct Response | 0/11 (0.0%) | |||||||||||
| DirectTrack | x | x | 2/11 (18.2%) | |||||||||
| LinkConnector | 0/11 (0.0%) | |||||||||||
| Linkshare | x | x | x | x | x | x | x | 7/11 (63.6%) | ||||
| OMG Affiliate Marketing | 0/11 (0.0%) | |||||||||||
| Perfiliate / Buy.at | 0/11 (0.0%) | |||||||||||
| Performics | x | 1/11 (9.1%) | ||||||||||
| Primary Ads | x | x | 2/11 (18.2%) | |||||||||
| ShareaSale | 0/11 (0.0%) | |||||||||||
| ShareResults | 0/11 (0.0%) | |||||||||||
| Tradedoubler | x | x | x | x | x | x | 6/11 (54.5%) | |||||
| Webgains | 0/11 (0.0%) | |||||||||||
| Webmasterplan | x | 1/11 (9.1%) | ||||||||||
| Zanox DE | 0/11 (0.0%) | |||||||||||
| Zanox US/UK | x | x | 2/11 (18.2%) |
Pay-Per-Click Conversion Tracking
| Computer Associates PestPatrol | LavaSoft Ad-Aware | McAfee Internet Security Suite | Microsoft Windows Defender | PC Tools Spyware Doctor | Spybot Search & Destroy | Sunbelt CounterSpy | Symantec Norton Internet Security | Trend Micro Anti-Spyware | Webroot Spy Sweeper | ZoneAlarm Internet Security Suite | Unweighted % Detected | |
| Google Conversion Tracking | 0/11 (0.0%) | |||||||||||
| Yahoo Conversion Tracking | x | x | x | x | x | x | 6/11 (54.5%) |
Ad Networks and Ad Hosting
| Computer Associates PestPatrol | LavaSoft Ad-Aware | McAfee Internet Security Suite | Microsoft Windows Defender | PC Tools Spyware Doctor | Spybot Search & Destroy | Sunbelt CounterSpy | Symantec Norton Internet Security | Trend Micro Anti-Spyware | Webroot Spy Sweeper | ZoneAlarm Internet Security Suite | Unweighted % Detected | |
| AdRevolver | x | x | x | x | x | x | 6/11 (54.5%) | |||||
| Advertising.com | x | x | x | x | x | x | x | x | 8/11 (72.7%) | |||
| Atlas/Aquantive | x | x | x | x | x | x | x | x | 8/11 (72.7%) | |||
| Bluestreak | x | x | x | x | x | x | 6/11 (54.5%) | |||||
| Casale Media | x | x | x | x | x | x | x | x | 8/11 (72.7%) | |||
| DoubleClick | x | x | x | x | x | x | x | 7/11 (63.6%) | ||||
| DoubleClick (Falk eSolutions) | x | x | x | x | x | 5/11 (45.5%) | ||||||
| FastClick | x | x | x | x | x | x | x | x | 8/11 (72.7%) | |||
| MatchCraft | x | 1/11 (9.1%) | ||||||||||
| Revenue Science | x | 1/11 (9.1%) | ||||||||||
| Traffic Marketplace | x | x | x | x | x | x | 6/11 (54.5%) | |||||
| YieldManager | x | x | x | x | x | 5/11 (45.5%) | ||||||
| Zedo | x | x | x | x | x | x | x | 7/11 (63.6%) |
Miscellaneous Ad Tracking
| Computer Associates PestPatrol | LavaSoft Ad-Aware | McAfee Internet Security Suite | Microsoft Windows Defender | PC Tools Spyware Doctor | Spybot Search & Destroy | Sunbelt CounterSpy | Symantec Norton Internet Security | Trend Micro Anti-Spyware | Webroot Spy Sweeper | ZoneAlarm Internet Security Suite | Unweighted % Detected | |
| Hitbox | x | x | x | x | x | x | 6/11 (54.5%) | |||||
| Intellitracker | x | x | 2/11 (18.2%) | |||||||||
| Mediaplex | x | x | x | x | x | x | x | x | 8/11 (72.7%) | |||
| Mediaplex (adserver.com) | x | x | x | x | 4/11 (36.4%) | |||||||
| Omniture | x | x | x | x | x | 5/11 (45.5%) | ||||||
| StatCounter | x | x | x | x | x | x | x | 7/11 (63.6%) | ||||
| Webtrends | x | x | x | x | 4/11 (36.4%) |
Anti-Spyware Programs Compared
The preceding tables show a striking result: Some anti-spyware programs detect far more cookies than others. The table below summarizes their respective detections (weighting all ad systems equally):
| Affiliate Networks | Pay-Per-Click Conversion Tracking |
Ad Networks and Ad Hosting |
Miscellaneous Ad Tracking |
Overall | ||
| PC Tools Spyware Doctor | 8 (28.6%) | 1 (50.0%) | 12 (92.3%) | 4 (85.7%) | 25 (50.0%) |   |
| Trend Micro Anti-Spyware | 7 (25.0%) | 1 (50.0%) | 12 (92.3%) | 4 (42.9%) | 24 (48.0%) | |
| LavaSoft Ad-Aware | 6 (21.4%) | 1 (50.0%) | 10 (76.9%) | 7 (57.1%) | 24 (48.0%) | |
| Webroot Spy Sweeper | 7 (25.0%) | 1 (50.0%) | 10 (76.9%) | 5 (57.1%) | 23 (46.0%) | |
| Sunbelt CounterSpy | 6 (21.4%) | 1 (50.0%) | 8 (61.5%) | 4 (14.3%) | 19 (38.0%) | |
| Computer Associates PestPatrol | 3 (10.7%) | 0 (0.0%) | 9 (69.2%) | 6 (28.6%) | 18 (36.0%) | |
| ZoneAlarm Internet Security Suite | 3 (10.7%) | 1 (50.0%) | 10 (76.9%) | 4 (42.9%) | 18 (36.0%) | |
| Spybot Search & Destroy | 3 (10.7%) | 0 (0.0%) | 5 (38.5%) | 2 (14.3%) | 10 (20.0%) | |
| McAfee Internet Security Suite | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | |
| Microsoft Windows Defender | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | |
| Symantec Norton Internet Security | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | 0 (0.0%) | |
By default, anti-spyware programs from the two largest security vendors (Symantec and McAfee) do not detect cookies, and neither does anti-spyware software from Microsoft. Other vendors all detect at least some cookies -- but with substantially fewer detections by Spybot than by others.
to topThe various advertising systems also differ dramatically in their detection rates. The table below summarizes their respective cookie deletions. The "unweighted" column counts all 11 anti-spyware programs equally, while the "weighted" column weights the programs according to their estimated market-shares. (See estimation methodology.)
Affiliate Networks
|
Ad Networks and Ad Hosting
Pay-Per-Click Conversion Tracking
Miscellaneous Ad Tracking
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Cookie deletion can interfere with advertisers' tracking of conversion rates -- preventing advertisers from correctly deducing the sources of sales that occurred, and preventing advertisers from paying commissions accordingly. But these effects can be corrected via appropriate bonus payments. Suppose an advertiser knows that 25% of its affiliates' cookies are being deleted by anti-spyware programs. (Out of 100 affiliate-originating purchases, 25 would be lost.) In principle the advertiser could offer a 33% bonus to its affiliates. Then, for each of the 75 purchases correctly tracked, the advertiser would pay commission at a 1.33 multiplier, thereby paying out a total of 100 units of commission in total. An affected advertiser could implement such a bonus while keeping its promotional costs no higher than a competitor paying the base commission rate, whose cookies are, for whatever reason, not deleted.
Despite the large deletion rates in the preceding sections, the effective rate of cookie deletion may be less than those sections suggest. In general, online advertising is understood to have greatest effect in the short run: An ad seen one day is more likely to produce a purchase right then, or perhaps the next day, than far in the future. This time-sensitivity means cookies need not last for long in order to serve their primary purpose. For example, if a user deletes cookies once a month, a typical cookie will be two weeks old, on average, when it is deleted. But for most products, users are unlikely to be spurred to make a purchase based on an ad seen two weeks earlier; by the time two weeks have elapsed, either the user has long-since made the purchase, or the user will not make such a purchase.
The more often users delete cookies, the greater the interference with advertisers' tracking. Similarly, the longer the lag between ad-display and typical user purchase, the greater the interference caused by a given cookie-deletion frequency, all else equal. (Some products, like complex and high-value purchases, surely have longer planning periods than smaller, routine transactions.) See also Atlas's The Effect of Cookie Deletion on Conversion Tracking.
To calculate the likely effects of cookie deletion on merchants and on their affiliate partners, I have developed a revenue loss calculator. Given a weighted cookie deletion rate and given basic information about the conversion speed of a given advertiser, the calculator will report the likely effect of cookie deletion on that advertiser's partners.
Some anti-spyware programs include features to block cookies on arrival -- effectively deleting a cookie instantaneously. In that case, depending on ad system design, advertisers might be unable to track transactions at all, or they might be unable to track transactions that occur after the current browsing session. But none of the anti-spyware programs I tested included such blocking in their default configurations.
to topIn the course of testing the programs listed above, I observed some notable anomalies. I report a few anomalies here to show the extent of apparent confusion as to what cookies do and why users might want to be concerned.
Spyware Doctor detects a falkag.net cookie as 2ndThought
Spybot detects a regnow.com cookie as VX2.Favoriteman
Several scanners' signature files misclassified the cookies they found.
- Spyware Doctor erroneously classified a cookie from falkag.net (owned by DoubleClick) as coming from 2ndThought, and Spyware Doctor attributed a trafficmp.com (Traffic Marketplace) cookie to eXact Advertising. Whatever the claimed harms of these cookies, they are entirely unrelated to the specified spyware vendors -- vendors who spyware has been widely observed installing through security holes and otherwise without user consent.
- Spybot called a Regnow.com cookie "VX2.favoriteman", incorrectly referring both to VX2 (a name by which notorious spyware Direct Revenue has been known) and to the long-defunct spyware-bundler FavoriteMan. In fact the Regnow cookie bears no affiliation with either of these spyware products.
- Sunbelt detected a Commission Junction cookie as a "pricebandit cookie."
In each instance, the detection of these cookies was consistent with the vendors' respective cookie-detection policies. But the descriptions shown to users were inaccurate.
ZoneAlarm "auto treatments"
delete cookies automatically
In a spyware scan performed using ZoneAlarm, I was surprised to find that all detected cookies were removed automatically -- not just found and listed. I had pressed a button labeled "Scan for Spyware," suggesting that the program would only scan, but not remove, whatever threats it found. Instead, ZoneAlarm removed detected cookies without any further prompting. As best I could tell, this removal was irreversible: The cookies were simply deleted, not quarantined, and I found no undelete function. That said, it's unlikely that many consumers would want to reverse the detection. After all, these cookies don't directly benefit users, so there's no clear reason why users would want the cookies back.
Most striking among apparent cookie errors are strongly-worded statements on Webroot's web site. Webroot's Spyware Education Center specifically claims "The more cookies you have on your PC, the more pop-ups you'll see." That's affirmatively false: Cookies do not cause pop-ups, nor do more cookies lead to more pop-ups. Other Webroot documents also make strong statements about cookies. For example, Webroot's 2005 Q3 State of Spyware report stated in a simple declarative sentence: "Tracking cookies are one type of spyware" -- even as another section of that same document admitted that there is "debate [as to] whether cookies should be classified as spyware."
Sunbelt: cookies are "low" risk, with a prominent "ignore" option
Webroot: "spy cookies" are "threats", though just 1/5 red bars
ZoneAlarm reports previously-detected cookies as "spies"
Even where cookies were accurately detected and described as such, descriptions varied dramatically.
- Sunbelt said cookies were "low" risk, and Sunbelt used the color yellow to flag detected cookies. Sunbelt also included a prominent "ignore cookies" checkbox to hide all cookie detections. (That said, Sunbelt also advised that these cookies "should be removed or quarantined," and by default Sunbelt removed the cookies it detected.)
- Webroot chose the wording "spy cookie" and the color red, tending to suggest to users that the threat from cookies is substantially more serious, even as Webroot gave cookies just one red bar of "risk" (out of a possible five).
- ZoneAlarm chose to describe cookies as "low risk" -- yet ZoneAlarm automatically deleted the cookies it detected. Furthermore, ZoneAlarm counted each deleted cookie towards its count of "spyware treated" and "spies treated."
Alternatives to Network Cookies
Ad-network cookies are not the only means of tracking user activities. Many advertising systems could accomplish their objectives without using network cookies, i.e. by using URL parameters to tell a merchant where its traffic is coming from. Having received origin information as a URL parameter, a merchant could set its own cookie to store the origin of a given user. The same information would still be tracked -- which users clicked which ads to reach which merchants -- but the information would be stored separately, in separate cookies for each merchant, rather than in large network cookies. Such separation might increase user privacy, both actual and perceived, by eliminating centralized tracking of users' activities. Furthermore, this implementation would probably reduce cookie deletion, because merchant-specific cookies contain useful information users want to retain (e.g. saved passwords, automatic logins, etc.) and because there are too many merchants for typical anti-spyware programs to easily track them all. This general approach, i.e. first-party cookies in lieu of multipurpose third-party network cookies, is favored by WebTrends. First-party cookies are also known to be used by at least some affiliate marketing systems. For example, LinkShare is known to use first-party cookies to track "return-day" delayed purchases.
Private labeling offers another alternative tracking model. Suppose a merchant allocated a third-level host name to its ad system, e.g. linkshare.dell.com. Then the ad system could set cookies within the merchant's second-level domain name, and the merchant could retrieve such cookies later, as needed. This approach is used by DirectTrack (among others).
Other possible tracking methods include pixel-tracking, HTTP referer-header tracking, and conversion to an in-house tracking system. Each system has potential downsides -- often implementation cost, complexity, or reliability. But creative alternatives remain possible, especially because multiple tracking methods can be combined to reduce the risk of data loss.
Google's Conversion-Tracking Cookies
Google's conversion-tracking cookies offer an unusual model of cookie implementation. Google creates a separate cookie for each advertiser, using the "path" feature of the cookie system to insist that each advertiser's tracking data be stored separately and retrieved only when specifically requested by Google. Below is an example Google cookie-setting instruction, with its path parameter highlighted:
Set-Cookie: Conversion=Cp8BQlUzTTc1Um4tUkxMcExhU293UUs4OHVHbEN2YngtaGV5bXZHQ0FvN0Rpd2pndGcw UUFSZ0NLQWc0QUVpdU9WQ3J5N2k2LVBfX19fOEJtQUg1andhZ0FlU05oZjREcWdFZ1IwZE1TaXRIUjB4S09qSXdNRFl 0TURjclI wZE1TanBsYml0SFIweEtPazdJQVFHVkFpTTRVQXJJQW9qWUVBEhMIy9ew0uSXhwIVFQ8VCh1VRwbLGAEgm JWGqN-gmt8cSAE; expires=Fri, 06-Oct-2006 00:45:22 GMT; path=/pagead/conversion/1069631204/
In Internet Explorer's cookie implementation, the resulting cookie data is stored not in a large file called, e.g., googleadservices.txt (googleadservices.com being the domain that sent this set-cookie instruction). Instead, this cookie is stored in an advertiser-specific file, namely 1069631204.txt. If the user clicks other ads placed by this same advertiser, the resulting cookies will be stored in the same 1069631204 cookie file. But cookies associated with other advertisers will be stored in separate files.
Google is incapable of checking cookies from all advertisers simultaneously. For example, a basic www.googleadservices.com request would have a null path ("/"), which would not match any of the specific numeric paths associated with whatever ads a user had previously clicked. As a result, a basic www.googleadservices.com request cannot retrieve these cookies; the only way for Google to retrieve a given cookie is by requesting that cookie specifically. In contrast, other ad systems (e.g. the corresponding system at Yahoo) can directly retrieve information about which ads a user has previously seen. In this respect, Google's ad-tracking cookie is more privacy-protective than others I examined.
In my testing, no anti-spyware program detected or removed any of these Google cookies, even as six of the anti-spyware programs deleted the corresponding mega-cookie file placed by Yahoo Overture. Why the difference? Perhaps anti-spyware programs regard Google's system as more privacy-protective -- since Google cannot easily read all these distinct cookies en masse. Or perhaps anti-spyware programs have no easy way to detect these arbitrarily-named numeric files without a risk of random false positives.
Google's system achieves some of the separation benefits of first-party cookies, but with the lower implementation costs of cookies placed directly by Google. This general approach may be able to achieve ad systems' measurement objectives while simultaneously addressing typical user privacy concerns.
to topWhile anti-spyware programs delete some cookies, it's also striking what cookies no programs touched. Consider, for example, the main cookies for Google.com. Reports indicate that Google keeps records of what each of its users searches for -- and cookies let Google group and analyze all searches from a given user. The totality of a user's search history typically includes substantial sensitive information, often personally-identifying information, as uncovered in analysis of search data recently released by AOL. Most users probably face more serious risks from search engines storing such sensitive search logs, than from ad networks tracking which merchants users visit. Yet many anti-spyware programs delete ordinary marketing cookies, while leaving the Google.com cookie untouched. Why? One simple explanation is user experience: Deleting Google's cookie would interfere with features users care about, like automatic login and search history. In contrast, anti-spyware programs can delete marketing cookies with impunity, without causing harm that users are likely to notice. But the differences go further. Deleting Google's cookie would be ineffective: Many users have Google accounts, e.g. for Gmail or Google's other login-required services. This login data lets Google track a user's searches even without cookies. As a practical matter, there's probably little an anti-spyware program can do to protect users from tracking by Google.
In short, cookie-deletion is a blunt instrument. It does not fully protect users' interests, nor does it fully address users' reasonable concerns. At the same time, cookie-deletion interferes with marketing practices many users would probably find unobjectionable (or at least of reduced concern) if they learned more.
For those who are convinced that anti-spyware programs ought to delete ad system cookies, my results offer cause for concern. Why have so many small ad systems' cookies been overlooked? And why do anti-spyware vendors overlook cookies from the biggest ad system, Google?
My results are also worrisome to those who believe ad system cookies present minimal privacy risk. Why do so many unobjectionable cookies get deleted? Why is such deletion so inconsistent across ad systems and across anti-spyware vendors?
But for both groups, I wonder whether sensible system design offers a useful way forward. Could shorter cookie durations address ad systems' needs, while reducing user privacy concerns? If most conversions occur within days of an ad impression, a far longer cookie duration may be unnecessary and needlessly privacy-invasive. Similarly, it seems separating cookies into advertiser-specific chunks -- either first-party cookies, or path-specific third-party cookies -- might blunt many privacy concerns, while preserving the tracking many advertisers consider most important. In the short run, an interested researcher could prepare a listing of which ad systems use which tracking methods, either based on hands-on testing or on vendors' submissions, to improve transparency as to practices in this field.
So long as cookie-deletion remains substantial, advertisers may find their analysis is most accurate and most helpful if it specifically considers the effects of cookie deletion. For example, Atlas reports that its assessment of web site reach and frequency reflect adjustments for cookie deletion. In particular, to avoid bias from recently-deleted or recently-replaced cookies, Atlas says it uses only data from long-time cookies when preparing these statistics. With real money changing hands based on cookies' reports -- advertisers paying their partners based on what cookies indicate -- such corrections probably warrant further consideration.
Benjamin Edelman is a Ph.D. candidate at the Department of Economics at Harvard University, where he studies the economics of Internet advertising. His recent academic work focuses on pay-per-click market design, bidder strategies, and policy implications. He also tracks advertising fraud, including spyware, typosquatting, and other unsavory practices.
Clicks2Customers is an award-winning Pay for Performance Search Marketing & Technology company that focuses specifically on managing large keyword campaigns (+1m keywords) for clients on Google, Yahoo, MSN & Ask. Clicks2Customers has built a stable of proprietary technologies and a staff of over 50 people in Cape Town, Johannesburg, London and Los Angeles. Clicks2Customers currently runs campaigns in 8 languages and 12 countries.
Clicks2Customers requested that Mr. Edelman conduct these tests, and compensated him for a portion of his time doing so. This report is now posted to Vinny Lingham's site as featured guest research, but Mr. Edelman, not Clicks2Customers, retains editorial control over this piece. He alone is responsible for its contents and conclusions.