How to control cookies: A real-world experiment

We explain how cookies affect your privacy online.

We explain how to configure cookies to best protect your privacy and do an experiment to find out how important those settings are

These days, when you go to almost any website, you’ll immediately see a banner at the bottom of the screen asking you to “accept all cookies.” Typically, users agree, to get rid of the annoying text box without delay. Lots of people don’t know if they can decline these mysterious cookies or how to configure them. We decided to conduct an experiment and show you how to control cookies and what happens if you don’t bother.

What are cookies, and what do you do with them?

Every website collects information about you and your activities and stores the information on your device in the form of small files. Those files are called cookies.

Cookies basically do three things:

  • Make the website more convenient for users,
  • Help the website work more reliably,
  • Track visitors’ activities.

Let’s start with convenience. Cookies identify you to a website and save your settings (if any). For example, a hotel reservation website can remember what currency you chose to pay in, and if you check the Remember Me option on a social network’s login page, you won’t need to enter your username and password every time you visit. When you return to the website, it checks your device for associated cookies, recognizes you, and automatically lets you access your account.

However, in addition to having features that are useful for website visitors, cookies enable services to harvest user data to make suggestions based on them and, of course, display targeted ads. Such cookies may belong not just to the owners of the website but also to companies with which they have entered into partnership agreements. The latter are called third-party cookies, and they are the reason many say cookies are just tracking tools.

Because cookies gather private information that is subject to protection, these days a lot of countries have implemented legislative and regulatory acts that require website owners to ask users to consent to the collection of their data. One of these is Directive 2002/58/EC of the European Parliament and of the Council. It’s why you so often see little windows asking you to allow cookies.

Accept all

In an effort to get to whatever brought them to the website, users may click OK or Accept immediately — so they can close that annoying window, even if it means allowing who-knows-who to collect who-knows-what information. Some people may carefully read that notification, but far fewer take the next step and configure the site’s cookies.

Developers tend to encourage users to click the Accept all option, making that button big and bright, and its companion, Customize settings, less noticeable. The attempts by some websites to complicate cookie management have already drawn the attention of privacy advocates.

Our cookie experiment

We conducted an experiment to determine how cookie configuration works. Our primary interest was answering the following questions:

  • Do the websites tell users that the website uses cookies?
  • Do users have the option to reject the cookies?
  • How do the settings users select on the website affect the number of cookies stored?
  • Is configuring cookies on the websites a quick, easy process?

We selected 32 websites for our experiment: ten mass media sites, eight belonging to private companies, four belonging to cultural and sports organizations, four educational websites, two government websites, and four that fall into other categories.

Before visiting each website, we cleared all cookies from the computer so the site would think we were a first-time visitor. We then went to the website and checked to see if cookies were stored on the device, and if so, which ones. If a window popped up giving us an option to go to the settings, we checked which cookies were enabled and which were disabled by default.

Does every website let you configure cookies?

Of the 32 websites we looked at, 14 did not notify users about the use of cookies or provide an option to configure them. In addition, right after we opened the websites, they stored the cookies on the device.

We then checked whether the sites offered any ways to manage cookies. To do this, we scrutinized their privacy policies and found it was possible, at least theoretically, to block the websites from collecting and using your data. Depending on the website, we had one of two options: either directly contact the marketing companies the website owners work with or write to the site administrators and ask them not to track us. In practice, those are hardly convenient ways to shield yourself from tracking.

What happens if the website lets you set up cookies?

Of the 32 websites we examined, 18 — that is, slightly more than half — allowed us to customize the cookies. But they allowed it for only some of the cookies, and they required us to keep the “necessary” ones. Of those 18, most (14) were kind to users who were not too lazy to open the settings: Advertising cookies were immediately disabled there.

The unpleasant surprise was that seven websites foisted a cookie on users immediately. In other words, we did not even have a chance to decide whether we wanted to accept all the cookies or first glance at the settings — the website had already recorded something about us.

If a website did the right thing and waited for us to decide, we opened its settings and tried to disable all of the cookies the website would permit. When we did that, one to three cookies ended up on the computer. If we accepted all cookies, 20 to 30 cookies on average were saved to the computer. This tenfold difference clearly demonstrates why you should open the settings.

We try to disable cookies in the browser settings

Now, we know you can reject cookies in a website’s settings. But, doing that every time is inconvenient, and it gets tiresome. Fortunately, there’s another solution. You can block third-party (i.e., mostly advertising) cookies or disable all cookies in your browser’s settings. Admittedly, if you disable all cookies, some websites will not function reliably.

Instead, keep in mind that a lot of browsers offer an incognito mode. Enabled, the mode allows websites to install cookies, but the browser automatically deletes them when you close the incognito window. This is helpful if, for example, you need to get online from a computer that isn’t yours and so browser cookie settings aren’t up to you.

Cookies aren’t the only trackers

All of these settings, blocks, and modes are meant to prevent others from tracking us. We’ve now gotten to the bottom of cookies, but are their settings sufficient to completely protect us from tracking? Unfortunately, they are not: Websites have a surprising number of other ways to track users.

For comprehensive ad tracking, there are separate tools — for example, Kaspersky Internet Security has a Private Browsing feature to block tracking. During our experiment, we took advantage of the solution, and it notified us continually about tracking attempts — even when we disabled the cookies in the browser — and blocked them. The upshot is that if you want to guarantee that no one is tracking you online, it’s better to use additional protection.

Conclusions

To summarize: Our experiment showed the most effective solution is not to deal with the settings of each website, but to configure everything right in the browser — use the settings menu to block the cookies. If you need to, you can make exceptions for some websites. And to protect yourself from other tracking attempts, set up Private Browsing.

Tips

Securing home security

Security companies offer smart technologies — primarily cameras — to protect your home from burglary, fire and other incidents. But what about protecting these security systems themselves from intruders? We fill this gap.