Cookie Quest: what cookie risks might you face online?

Based on the risks each individual faced online, our researchers came up with a list of recommendations for them to stay secure online:

Australian Parent:

• Look out for the kids: They’re responsible not just for their own cookies, but potentially for their children’s as well. Education is key, but parental settings and browser settings can also help.
• Watch out for shopping sites: These almost always have tons of cookies.
• Cross-site cookies: A surprising number of cross-site connections can form while browsing a wide array of different websites. This can increase their family’s risk profile.

Canadian Student:

• Education sites: University sites displayed a surprisingly large number of cookies.
• Anti-student bias: Some sites display biases against student users, assuming them to have low incomes. This can continue for months or even years after graduation.
• Deal hunter: Looking for apartment listings or the best deals can get the user tons of cookies.

French Creative:

• Beware the content bubble: Cookies and other tracking methods may reduce the diversity of art and media you see.
• Know sites’ cookie footprints: Government sites use few cookies, but some news and media sites use excessive amounts of cookies.

German Techie:

• Use the law: Germany’s stronger privacy laws give the techie a privacy advantage when browsing German websites. If possible, opt for sites in countries with strong privacy regulations.
• Underground sites: Underground/niche sites may have less commerce or ad cookies, but users may need to watch out for other suspicious activity.

United Kingdom Teacher:

• Learn about the risks: News and media sites tend to have tons of cookies, but educational sites often have far less.
• Keep them separated: Especially when working with children, it’s important to separate your browsing profiles.Use different accounts or even devices to browse.

United States Businessman:

• Follow the money: Financial sites are likely to leave lots of cookies, and using those sites can make users prime targets. It’s important to protect your privacy.
• Shop in private: Commerce sites love to use cookies, but these may sometimes prevent you from getting the best deals offered to you. Try blocking cookies when you shop.

Cookies aren’t a game

Cookies are a normal and necessary part of the internet. Without them, you couldn’t log into a website or fill your online shopping cart. Too many cookies, however, can become a threat to both your security and privacy. Here’s how:

• Cookies follow you online: Even if you hide your IP address with a VPN, cookies can track what you do online and form a partial ID of who you are.
• Third-party cookies sell your data: Some sites earn revenue by serving third-party cookies. These aren’t functional – their purpose is to turn a profit from your data.
• Cookies are a vulnerability: With the wrong browser settings or when visiting the wrong website, cookies can introduce security vulnerabilities to your browsing experience.

This is why managing cookies is important – we can’t live online without them, but too many can be a risk.

Let’s take a deep dive into the types of cookies each user gathered. As we mentioned, not all cookies are equal.

• Necessary: Cookies without which a site cannot work;
• Functional: Cookies without which a site cannot perform a specific function. They can help empower functions that provide an additional benefit, like localized content, but are not required for the website to work;
• Analytics: These cookies collect as much data as they can about you so they can help website admins understand who you are and how they can convince you to buy their products or services;
• Performance: These cookies analyze how you interact with a website so they can measure a website technical performance. They can help admins improve their websites;
• Advertisement: Ad cookies help advertisers target you with more personalized offers, increasing the chance that you’ll click and spend money;
• Other: There are all sorts of cookies to be found online, some of which can introduce vulnerabilities;

Methodology

We asked six individuals to share their daily browsing practices with us. Participants were recruited through an agency, which provided the anonymized results. We didn’t receive any identifying information, and URLs were reduced to domain names.

Each participant provided the domains they accessed on two consecutive days in June 2021 and answered a few basic questions about their interests and awareness of cookies. When presenting the results, we further anonymized some sites such as specific schools or other sites that might provide too much detail around localized or otherwise identifiable data.

The domains visited by participants were run through a cookie scanner and the results were examined for types of cookies. This provided:

• The number of cookies
• The percentage of each type of cookie: necessary, analytics, functional, performance, advertisement, other
• Where each cookie was from

This gave us 3,958 cookies across 230 sites. From this data, we calculated:

• The number and percentage of cookies from third-party domains
• The total number of cookies received across the two-day period
• The average number of cookies received per website
• The average number of each type of cookie