How Do Internet Advertisers Use Third-Party Cookies?
Asked Answered
M

2

17

If a given web server can only read cookies from those set within its own domain, how do Internet advertisers track user's web traffic from websites outside of their network?

Is there some kind of "supercookie" global advertising system that allows advertisers to retrieve upper-level domain cookies and then query some server (from an affiliate) that houses information about where that user has been?

Update:

To clarify my question, is it possible for an advertiser that publishes ads on "example2.com" to ascertain that I visited a particular site "example1.com" if they had never served an ad on a page from "example1.com"?

Monosymmetric answered 9/1, 2012 at 20:46 Comment(0)
G
22

There is no need for a "supercookie". Each server reads its own domain's cookies. The servers pass information to each other through URLs. (Or, less commonly, through backchannels.)

For example, say you go to example.com. You have an example.com cookie that reads user=1032354. You retrieve http://www.example.com. Of course, you send your cookie to the web server, which outputs the following in the web page:

<IMG href="http://www.advertiser.exmaple/add.cgi?source=example.com&user=1032354">

Of course, when your browser goes to www.advertiser.example to get the image, it happily sends the advertiser.example cookie. Now, the server at advertiser.example knows which user you are on its site (from the cookie you sent it) and which user you are on example.com (from the URL).

With the backchannel method, it operates more like this:

1) You go to www.example.com and send it your example.com cookie.

2) The web server at example.com gets your user ID from the cookie and sends a JSON request to advertiser.example to create a session for you. It passes it your example.com user ID.

3) The web server outputs an image link to advertiser.example with the session ID created in step 2.

4) When your browser connects to advertiser.example, it sends the advertiser.example cookie in the headers and the session ID in the URL.

5) The server at advertiser.example can now associate your session with their own user record and your user record at example.com and it can output an appropriate ad.

It can also be done through referrers.

Update: No cookie is needed at the main sites. A single advertiser cookie will do.

1) You go to a site, you send no cookie. The site assigns you a new session.

2) The web page has an embedded image link to the advertiser's site with the session embedded in the URL.

3) You fetch the embedded image, sending your session ID (in the URL) and your cookie (for the advertiser's site).

4) The advertiser now associates your session on the main site with your account in their database. It communicates this to the site's web server through a back channel, embedded in an URL, or other means.

Gil answered 9/1, 2012 at 20:51 Comment(7)
Don't these two scenarios still imply "in network" tracking? That is, in order for the advertiser above to track that a given user went to both example1.com and example2.com, the advertiser would have to publish ads on both example1.com and example2.com? I want to know if advertisers have any tricks/tools to view a user's history even if they have only served a cookie at example1.comMonosymmetric
No cookie is needed at the example sites. The process can work exactly the same without a cookie. The site simply assigns you a random session at first, gets your user identifier from the advertiser through a backchannel, and then associates the random session with the user account at the advertiser's site.Gil
Perhaps I'm wording/clarifying my question poorly. Is it possible for an advertiser that publishes ads on "example2.com" to ascertain that I visited a particular site "example1.com" if they had never served an ad from "example1.com"?Monosymmetric
@nomizzz Probably not, assuming they don't use some kind of exploit. There are a few ways it might be possible -- for example someone they cooperate with served you an ad on that site and they can link your account with them with your account with their partner's. (Possible through another site that served ads from both of them.)Gil
Fair enough. Accepted your answer for its thoroughness and coverage of all standard advertising patternsMonosymmetric
@RoyiNamir Ask a question. :)Gil
@DavidSchwartz asked :-)Conde
M
0

Companies like Facebook, Google and Doubleclick's business models work because much of the Internet community voluntarily hosts a Javascript file for them. I assume that 90%+ of large websites all use Google Analytics or run Google ads. And they all used Doubleclick ten years ago. The actual cookie is probably just a simple user id. That's enough information to update your anonymous profile.

Malinda answered 15/10, 2019 at 1:9 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.