Some phrases sound great if you don’t know what they really mean. These include “garnished salary,” “positive test results,” and “athlete’s foot.”
Also: “Accept all cookies.”
What kind of monster wouldn’t accept cookies? Certainly not the gluttonous blue Muppet ensconced in my psyche. When faced with a pop-up displaying a button mentioning cookies and a drab link saying something about managing preferences, my gut reaction will always be “Om nom nom nom!”
But my brain knows better. Clicking the button gives the website permission to store data files on your device so that it can recognize you. Those files can come from the website itself, or they can come from third parties, like ad networks, social media companies, and web traffic analysis tools. Think of it as like a biologist sticking a radio transmitter on an albatross, except that biologists don’t force migratory birds to watch Liberty Mutual ads.
I recently found that my own website, where I post links to my freelance writing and other editorial work, served about a dozen cookies, almost all of them to third parties. As someone who frequently writes about online privacy, I felt like a bit of a hypocrite.
So I vowed to hunt down and eliminate every last cookie on the site. I wanted to create a monument to digital privacy, a shining beacon of not uploading anything to your browser.
It wasn’t as cleansing as I thought it would be.
The term “cookie,” referring to a brief bit of computer text, probably originated in the 1970s at Bell Labs. The first web browser cookie was created in 1994 by Lou Montulli, then a 23-year-old engineer at Netscape, as a way for websites to recognize visitors without giving each browser a unique identifier that could be used to follow it around the internet.
Without cookies, navigating a website would be like holding a conversation with Dory from Finding Nemo.
His plan backfired spectacularly. Within two years, ad networks were using cookies to track users across any site that served their ads. That’s why when you shop online for, say, a spatula, you might see ads for spatulas all over the web for the next few days.
Today, just about every website serves cookies (the obvious exception being Zombocom). The New York Times uses more than two dozen just on its homepage, Reddit’s uses seven, and even Google’s minimalist homepage uses two.
Joseph Reagle, a professor of communication studies at Northeastern University, notes that some cookies have a legitimate purpose. Without them, navigating a website would be like holding a conversation with Dory from Finding Nemo. Every time you load a new page, the site would forget who you are. Shopping cart items would vanish; you’d have to sign in constantly. “Even as you were browsing a website, the website wouldn’t know that you were the same person,” Reagle says.
But being recognized by a single website is different from being recognized by a sprawling Facebook or Google network. One is like hiring a portrait photographer; the other is like being hounded by paparazzi. Given enough data, your browsing history can be used to construct a shockingly detailed profile of your interests, your personal attributes, and even your mental health, all with the aim of serving targeted ads.
Last year, Montulli told Quartz that he regretted his role in creating the basic infrastructure for the ad-driven, data harvesting digital economy that has come to be known as “surveillance capitalism.” “I now think the web’s reliance on advertising as a major revenue source has been very detrimental to society,” he said.
So I decided to take a stand against cookies on the one speck of online real estate that I could control. I shared my plan with Reagle, who from 1996 to 2003 worked as a policy analyst for the World Wide Web Consortium, the web’s main standards organization. If anyone knew where I could get my Privacy-Respecting Website medal, it would be him.
“I don’t think you’re helping anyone that much,” he told me. “People who know about cookies know how to block them, and the people who don’t know won’t even notice.”
Still, he said, “Your quixotic enterprise is interesting in that it shows just how sticky these things are… Cookies are somewhat like lint if you’re statically charged.”
Once I figured out where my site’s cookies were coming from, expunging them wasn’t too hard.
My website runs on WordPress, a content management system that powers more than 40% of the web (including the site you’re on right now), WordPress owes much of its popularity to its library of nearly 60,000 plug-ins that let users customize their sites.
Over the years, I had installed several plug-ins — Google Analytics, to monitor my visitors; Yoast, to optimize my pages for search engines; and a few others to connect my site to my Twitter and LinkedIn profiles. But with some of these plug-ins came third-party cookies, which had been quietly attaching themselves to the browsers of my unsuspecting visitors.
Many were easy to expunge by deactivating the plug-ins that spawned them. I swapped Yoast for a cookie-less search engine plug-in called All in One SEO, and I exchanged my social media plug-ins for straightforward links to my profiles.
I couldn’t find a suitable replacement for Google Analytics, and I was hesitant to give it up. I get a couple hundred visitors a month at the very most, but I had always found it reassuring to know there were people looking at my site. Then again, a promise is a promise, so out it went. Now, you can visit my site secure in the knowledge that I’ll never know you were there.
My efforts were probably pointless. Today, the third-party cookie business is crumbling, in part because of the proliferation of laws like the EU’s General Data Protection Regulation (which mandates those “accept cookie” popups), but also because they’re less effective than they used to be. Social media, mobile apps, and other online walled gardens that discourage browsing the open web have found other ways to track you. Three popular browsers — Safari, Firefox, and Edge — block third-party cookies by default. Google has announced that its vast ad network would stop using them and that its browser, Chrome, will block them at the end of 2023.
I checked each of my public-facing pages one last time and found no cookies. But something still bothered me at the end of my project, and I eventually figured out what it was. Earlier this year, I installed an accessibility widget made by a company called UserWay, which brings up a menu of options for people with vision impairment or cognitive disabilities. When they use the widget to change the display, the site will stay that way on future visits, so there need to be cookies involved. But the cookies don’t get uploaded to your browser unless you actually use the widget.
My free UserWay widget is no substitute for accessible design, but I do believe it makes browsing a little easier for those of us with disabilities. It also taught me a valuable lesson about the tradeoffs between privacy and usability. As everyone’s favorite googly-eyed gourmand likes to point out these days, the key is moderation. A cookie, I now realize, is a sometimes data file. And that’s good enough for me.