Cookie
What is a cookie?
A cookie is a small piece of data that a website (the server) places on your device (the client). The exact meaning of cookie contents is specific to each website. In some cases these are benign, and required for the site or app to function (e.g. to know you put an item in a shopping cart). In other cases, cookies can be used to track your browsing activity, search history, and to follow you across the Web. Note that the term “cookie” is used in two different ways: to describe a specific way of setting values on browsers; and as a general term for all ways sites can store values on clients.
How do cookies work?
When your browser requests something from a server, the server can send back cookies along with its response, and your browser will store them, remembering which server they came from. Then, whenever your browser requests anything else from that server, it will include that server’s cookies in its request.
Note that we’re omitting some details here—there are various ways for website developers to modify this behavior—but you don’t need to be familiar with those to understand how cookies work.
In the course of displaying a webpage, your browser may have to request parts of it from several different servers. There’s an important distinction here between “first-party” cookies, which come from the same server that is shown in the browser’s address bar, and “third-party” cookies, which come from other servers. Third-party cookies are sometimes called “cross-site” cookies.
Why do websites use cookies?
Some cookies are necessary for sites to be able to work properly. For example, when you log in to a website, the site stores a cookie, unique to you, so that it knows who you are as you navigate around the site. Without cookies, you wouldn’t be able to stay logged in as you used a site. Cookies can also be used to prevent a security problem called “cross-site request forgery.”
Those uses are important and desirable, but cookies are also frequently used for a less desirable purpose: tracking. These tracking cookies let trackers know who you are as you browse, so that they can build a profile of your browsing activity for use in ad targeting.
How are cookies used to track me?
Suppose you’re looking at a news site that includes an ad. The ad comes from a third-party server, and it carries a cookie, containing a string of characters that uniquely identifies your browser on your device. The ad server records that it showed a particular ad to a browser with that identifying string.
Then you go to a different site, like a shopping site, which includes an ad from the same ad server. When your browser requests the ad this time, it will send the cookie with the identifying string from before. The ad server uses that identifying string to look up, in its records, what sites it has seen you on and what ads it has shown you before. It can also record your visit to the shopping site.
The purpose of the cookie in all this is to hold an identifier that is unique to you (and your browser and device), and that stays with you as you browse. That way, trackers can reliably build a detailed profile of your browsing activity across several websites.
How can I prevent cookies from being used to track me?
No matter what browser you use, you can set it to block third-party cookies; all major browsers offer this as an optional setting. Brave takes a different approach: Brave partitions cookies by default, which provides all the privacy improvements of blocking third-party cookies, but without affecting website compatibility. (Note that Safari and Firefox offer similar partitioning as well.)
It’s important to note that blocking third-party cookies doesn’t block all forms of tracking:
- Websites can make requests to trackers using identifiers stored in first-party cookies, although this takes more effort on the part of website developers.
- Websites can use bounce tracking, in which your browser is briefly redirected to a tracker’s site as you click on a link, so that the tracker can store first-party cookies.
- Trackers may be able to use fingerprinting to identify you without using cookies at all.
Brave has built-in features to counter those techniques. It blocks requests to known tracking servers, it can circumvent bounce trackers, and it includes anti-fingerprinting measures.
What are the cookie notice popups that lots of websites have now?
Some jurisdictions—most notably, the European Union—require websites to get users’ informed consent before storing any cookies that aren’t strictly necessary. These popups are how they do it. You’ll see the popups no matter where you are in the world, though, because many website developers find it easier to show the popup to all users, rather than only those in certain countries.
These notices vary quite a lot in quality. Virtually all of them are designed to steer you into accepting all cookies, by making the “accept all” button large and brightly colored, while forcing you to click on several small controls to reject cookies. Some don’t give you a real choice: your only options are to accept all cookies, or stop using the site altogether. Worst of all, some notice popups track you regardless of your choices.
For privacy, it’s best to use a browser or extension that blocks cookies, instead of using notice popups to reject cookies. In addition to blocking tracking cookies by default, Brave can also block those annoying cookie-consent popups.
