Help, I don't know what cookies are
09 Apr 2019
That’s great, I’m so glad you said that. Hardly anyone really knows what they are. But it’s okay to not know. The first step is admitting it. Well done. You’re obviously here because what you do know is this: cookies are important, but cookies are confusing. Don’t worry - I actually know what they are, so it’s cool.
whatarecookies.com looks like it was last updated in 2006 and offers this delightful explanation of what a cookie is:
“Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular…” never mind, I’m asleep.
Dull explanations like this make it really hard to care about cookies. But I’m afraid it’s time to start caring - there are large companies out there who really care about cookies (and understand them), but they certainly do not care about you. If you start to get a better understanding of cookies, that’s one tiny step towards ending this horrid asymmetry of knowledge.
Okay so, imagine you just discovered a cool new website called treerank.bark. This is where people go to rank their favourite trees. Really simple concept and highly addictive - like any good website. You visit the site for the first time, and your cookie journey begins.
There are three main types of cookie at play here, and here is a quick explanation of each of them:
Session Cookies: these are temporary and go away as soon as you close your browser. That does not mean they aren’t important.
Persistent Cookies: these are actual files that stay on your computer unless you manually tell them to go away. They have the ability to follow you to every website you visit and take detailed notes. Reasons behind these range from page functionality to marketing (serving you targeted ads)
Third-party Cookies: just like persistent cookies but they aren’t even from the website that you chose to visit. They are from someone else. This is like when you read an article on Medium, and you see social icons on the left. Medium had to ‘ask’ Facebook and Twitter to load those up; and now their respective cookies exist on your device without even paying them a visit…
This explanation is short and sweet (like an actual cookie). We will go into more detail below (like adding extra chocolate chips, mmmm). I urge you to read on so you can appreciate cookie nuance on the same level that big companies do.
Right so you’re on treerank.bark, the coolest new website all the kids are talking about. You start by ranking your top five favourite trees. Birch is first, duh. The only thing second to birch is willow, obviously. Third is redwoods because, hello, they are massive and size does matter.
Damn, ranking trees is hard. You’ve done three out of five which is not bad but this took up most of your lunch break. You close the tab and grab a sandwich. You don’t even get half way through the sandwich when you get a tree-related brain wave: ash should definitely come fourth, followed by elm. You open another tab and go back to treerank.bark to complete the list. There - your top five favourite trees, perfectly ranked. Such a great lunch break activity.
All is well so far, but let’s take a FAQ break to make sure we’re all on the same page (it’s only polite):
Q: I ranked three trees and then I closed my tab. When I opened another tab, and went to treerank.bark my tree rankings were still there? What magic is this?
A: Not magic at all my friend. Looks like treerank.bark uses session cookies. When you ranked your first three trees, treerank.bark harnessed the awesome power of a session cookie to ‘remember’ those tree rankings - even though you closed the tab.
All treerank.bark has done so far is store some information in your browser about what your top five favourite trees are. That information stays there as long as your browser is open.
Right, it’s the weekend now. Perfect time to turn that top five into a top ten. You open your browser again and visit treerank.bark. You spit out your coffee. Your top five trees have disappeared. You frantically click through every page hoping your beloved list is somewhere. It is not. Pretty crappy weekend so far.
Sorry, pal. You closed your browser and therefore ended the session. Do you need another FAQ break?
Q: umm… what’s going on? Where are my trees?! You said they’d remember!
A: Yeah okay sorry I didn’t explain it before: session cookies are temporary. They disappear as soon as you close the whole browser. Just closing the tab does not end the session. Closing the entire browser will automatically remove session cookies.
So, session cookies are a bit of a tease. Might seem useless to you, but treerank.bark now know how long your session was, and how many sessions you’ve had in total.
But that is not your main concern. You want your damn tree rankings to stick (get it? Stick? Tree? It’s fine…). You discover you can make an account on treerank.bark so naturally you make one right away. That leads us to our next cookie type…
Determined to never lose your tree rankings ever again, you now have an account with treerank.bark. Every time you log in, your rankings are saved. Treerank.bark also know a little more about you now: your name, your email, and yes… your tree preferences.
You can log in and log out and close your browser and move house and get a new job and treerank.bark will never forget your precious tree rankings. This is because they have left a persistent cookie on your device. It is there until you tell it to go away. This persistent cookie exists as a file that treerank.bark will read every time you visit them.
Persistent cookies do indeed expire - but usually not for a very long time. If you were to stay logged out of treerank.bark for say, over a year (unthinkable), they may forget your details. That is unlikely, though. These days, some companies will have their persistent cookies last up to ten years. Okay, FAQ break!
Q: Why does a cookie need to last ten years? My phone won’t even last five years…
A: You’re right, it probably won’t. But… it might? Companies really want to look at what you’re doing over a long period of time. Your tree preferences could be very different a year or two down the line. Treerank.bark really want to keep a close eye on what trees you’re into (you know, tree trends).
Okay so you’ve been using treerank.bark for a good couple of months now, and things are going just fine. For unrelated reasons, you are now browsing buystuff.shop, the site you go to when you need to buy stuff. You see an ad for treerank.bark; it says “join the community for up-to-date oak news”. You laugh smugly - you already use treerank.bark so this advert is absolutely wasted on you.
Save your silly smug laugh - treerank.bark now know that you use buystuff.shop. How? The persistent cookie, of course. You are just gasping for a FAQ break, I can tell…
Q: How do treerank.bark even know I was on my favourite shopping website?
A: The persistent cookie that was created when you made your account with treerank.bark tracks anything you do that is related to treerank.bark, such as buying stuff on buystuff.shop.
Q: But… that isn’t related to treerank.bark, so…?
A: Yes it is because did you know that 90% of treerank.bark users in their late twenties are more likely to buy subscriptions to Hedge Weekly magazine than anyone else? No, didn’t think you did. That’s market research. And treerank.bark own Hedge Weekly - fun fact.
So your favourite site, treerank.bark, are essentially spying on you via this persistent cookie they left on your laptop. Sure, it means they’ll never forget your tree rankings, but it also means your new subscription to Hedge Weekly is not a coincidence.
Look I know this all seems very dark but don’t worry - it’s going to get even darker.
You want to stop using treerank.bark, you really do. But all your friends are on it now and you don’t want to be out of the loop when it comes to the many uses of birch bark (I totally understand). Also, they just launched some awesome merch. There’s a t-shirt with ‘I love yew’ on it. I mean come on… you gotta buy that.
When you go to buy the t-shirt, you see a button that says ‘add to your buystuff.shop cart’. How unbelievably convenient - you don’t need to put your payment details into treerank.bark because they’re letting you use your buystuff.shop account to make this purchase. Also, this seems like a really straight-forward and honest way for treerank.bark to take your money. Not like that underhanded, sneaky way when you subscribed to Hedge Weekly.
Incorrect. You’re wrong and you want a FAQ break:
Q: Okay okay… what could possibly be wrong with a buystuff.shop button on treerank.bark?
A: That button does not belong to treerank.bark, but it’s on their site. They had to ask buystuff.shop to load it for them. That means it was downloaded from buystuff.shop’s servers, and along with this, a third-party cookie. In this case, buystuff.shop is the third party, and now you have one of their persistent cookies sitting on your computer without even visiting their site.
Q: I already had a buystuff.shop account so surely this makes no difference?
A: Yeah, you’re right, but not in the way you think. The third-party cookie would have been placed there whether or not you have an account with said third party. In the case of treerank and buystuff, both sites now know who you are and that you use both of them, respectively.
Q: But it’s just those two… that’s fine?
A: No. It’s not just those two. It’s everyone. And it’s all the time.
The main thing you need to remember about third-party cookies is that you will be served them even if you do not click on anything. Buttons, banners, and other features or ads that websites use from third-parties are loaded in directly from those third parties. And cookies are included. Just think about everywhere besides facebook.com where you’ve seen a Facebook ‘like’ button.
It’s not all about ads and integration, either. What if treerank.bark wanted put a live chat feature on their site? Would they use time and money to build it themselves from scratch, or just use an already existing - third-party - chat feature that works perfectly well? Yes, the second one. They already did this with their merch store.
This means that companies actually rely on third-party cookies to get parts of their sites to work. But this isn’t all third-party cookies are for - as we’ve covered, they also track your browsing.
This is why websites like the BBC urge you not to disable third-party cookies; because they actually add functional features which the BBC have deemed ‘necessary’. Forbes list all the ‘functional cookies’ that they serve you on every visit. Oh look, they’re all from third parties.
Avoiding cookies is like trying to not make direct skin contact with your own clothes - it’s… really hard. Every time you see social media buttons in the corner of any website, those social channels - as well as a bunch of other third-parties you’ve never even heard of - are tracking your browsing. In other words, cookies are nothing more than a 21st Century brand of surveillance. Cookies give a much better picture of you than a nanny-cam ever will.
Now that you have a better understanding of the main types of cookies out there, remember my answer to the last FAQ break question: it’s everyone, and it’s all the time.
treerank.bark is entirely fictional but if any devs out there have any spare time you could, you know, have a stab at building this? Just an idea, no big deal…