Cookie variants can skirt blockers, anti-spyware tools

Just because your Web browser is set to block third-party tracking cookies that doesn't mean all of them are being blocked.

A growing number of Web sites are quietly resorting to the use of "first-party," subdomain cookies to skirt anti-spyware tools and cookie blockers and allow third-party information gathering and ad serving, according to some privacy advocates and industry analysts.

Though the cookies are not fundamentally different from other third-party cookies, they are very hard to detect and block, said Stefan Berteau, research engineer with CA's anti-spyware research team. The result: companies could theoretically use the cookies to quietly gather and share consumer information with little risk of detection, he said.

So far, the use of first-party, subdomain cookies appears to be less prevalent than standard third-party cookies, Berteau said. "But it's the kind of thing that might catch on quickly."

The growing, but largely hidden, issue of online consumer-tracking and information-sharing burst into the open in recent days because of the controversy generated by Facebook's Beacon ad-serving technology. In that case, the use of tracking technology was acknowledged by the company, though it has been blasted for not allowing users to easily opt out and for failing to disclose how extensively it was being used.

First-party, sub-domain cookies are those that appear to be served up by the primary Web site a user is visiting; in reality, they are being issued by an external third party. For example, a company whose primary domain name is could create a sub-domain called trackerxyz that falls within the domain so it would look like this:

This subdomain actually points to a third party's server. But because the parent domain names are the same, the user's browser sees that server as belonging to the parent -- and treats cookies from both equally.

Web sites that allow such cookies are taking advantage of the fact that the standards used to categorize cookies rely on domain names, not IP addresses, Berteau said. In other words, whether a cookie is seen as a first-party cookie or a third-party cookie depends on the domain from which the cookie was served up, not on the IP address of the server itself. "Basically a sub-domain can be pointed to any IP address" while still having its cookies treated as first-party cookies, he said.

In many cases, first-party, sub-domain cookies serve legitimate purposes, said Carolyn Hodge, marketing director for TRUSTe. For instance, a bank might have a relationship with an external bill pay vendor, and might set cookies that appear to come from the bank but actually have been set by the bill pay vendor.

"Where it becomes an issue is if there are any sort of secondary uses" associated with those cookies such as activity tracking or ad serving that are being done without notice, she said. In such cases, it would be incumbent on the Web site to disclose that it is using such cookies, she said.

Concerns about the practice could soon prompt a review of TRUSTe's policies surrounding the acceptable use of such cookies, Hodge added. "Our program does not disallow the use of third-party cookies, but we have strict requirements for privacy" related to them.

Page Break

TRUSTe basically certifies and monitors a Web site's privacy and e-mail policies; Its TRUSTe privacy seal is used by more than 2,500 companies in 56 countries.

The use of first-party, sub domain cookies is relatively new and seems to be a response to the widespread blocking of third-party cookies that is done routinely by anti-spyware tools and Internet browsers, said Alain Zidouemba, senior research engineer at CA.

CA's own anti-spyware tools look at the domain from which a cookie is served to decide whether a cookie is third-party or not. The tools then use a score card method to decide whether to block or allow the cookie. The decision is based on self-disclosed information that each third-party cookie is required to have in the form of a compact P3P statement. That statement basically comprises a series of 3-letter tags representing a particular statement about that cookie's privacy policies, which are used to pass or fail a cookie.

In a test of 205,000 randomly selected unique URLs earlier this year, CA discovered more than 20,000 URLs setting nearly 24,300 third-party cookies that were classified as a threat to privacy. More than half of those third-party cookies were issued by tracking networks such as,, and The tracked information ranged from a user's IP numbers, to data on queries to a search engine, logs of account activity, information generated by the purchase of products and services and demographic data such as gender, age and income.

Detecting such cookies would be a lot harder if they are served up as first-party sub domain cookies, Zidouemba said.

For users, blocking them could get more difficult. "So far, we are not aware of a simple way for users to protect themselves, because it is relatively difficult to automatically detect them when they occur," Zidouemba said. "Particularly advanced users could manually investigate each of their cookies, and then use their browser to block the ones which are being redirected to sites they do not approve of."

But that can be a time-consuming and fairly tedious process, "not at all something which an everyday user would be able to undertake, he added.