Cookie-like behaviour, without cookies

I was at the University’s Webmasters’ Workshop event at the OeRC on Friday, and got talking to Dan Q of the Bodleian Libraries about the soon-to-be-enforced ‘cookie law’. We realised that it’s possible to achieve cookie-like behaviour without actually setting a cookie. We’d initially thought that this would circumvent the ‘cookie law’, but having looked at the text of the legislation as quoted in the ICO’s guidance on cookies it appears that this cookie-less approach would also be unlawful, and is certainly against the spirit of the law. I present the idea here as a thought experiment, and to point out that one might need to be careful before implementing any ‘workarounds’ to continue to track visitors.

The idea

A cookie is simply an arbitrary bit of data handed to a browser that it will then hand back on subsequent requests. The cookie can be used to store a (semi-)permanent identifier that can be used to track the user, and it’s this functionality we want to duplicate.

In this approach, each page on a site pulls in a bit of JavaScript that uses XMLHttpRequest to retrieve /track/. This returns a never-expiring 301 Moved permanently response with a redirect to a URL containing a tracking identifier, say /track/sgnklsfg/. The browser retrieves this URL, and receives another never-expiring document. The document is a bit of XML containing the identifier, which can be retrieved using from the original XMLHttpRequest object.

This uses the browser’s caching to maintain the identifier unchanged indefinitely. With the onset of Cross-Origin Resource Sharing, this would also allow the site owner to track users across domains. Dan Q also reckons it could be used to implement a shim around Google Analytics to eschew the use of cookies, which woud be useful were the cookie law only about cookies.

Update: Dave King points out that similar functionality could be acheived using web storage.

Further update: The redirect is probably unnecessary. There’s also the possibility that the cached resource containing the identifier might drop off the bottom of the browser cache after a relatively short time. In this case, Dave’s suggestion is probably a more reliable way to track a user.

The legislation

The law is complicated, and I am not a lawyer. This is my interpretation of the law, and it is liable to differ from that of professionals.

The relevant section of the Privacy and Electronic
Communications Regulations Act 2003, as ammended, is:

    1. Subject to paragraph (D), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (B) are met.
    2. The requirements are that the subscriber or user of that terminal

      1. is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
      2. has given his or her consent.
    3. Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (B) are met in respect of the initial use.
      For the purposes of paragraph (B), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
    4. Paragraph (A) shall not apply to the technical storage of, or access to, information–
      1. for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
      2. where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

This doesn’t mention cookies by name, only the act of causing to be stored or retrieving information from the user’s browser without consent unless it is necessary in order to provide the requested service. A broad interpretation might be that as CSS generally contains no semantic content then it is not strictly necessary, and so requires the permission of the user. Likewise advertising. Other techniques for identifying the user, such as browser fingerprinting access information stored in the terminal equipment without permission, and so are presumably unlawful. Likewise subscribing to orientation events would be forbidden as it isn’t “strictly necessary” for providing a service, just convenient. It all seems a bit too woolly and all-encompassing. You might be interested in Silktide’s page on what is affected by the “Cookie Law”.

As mentioned earlier. the wording of the legislation would seems to suggest that this cookie-less approach would still be as unlawful as the equivalent using cookies.

Posted in Musings | 2 Comments

2 Responses to “Cookie-like behaviour, without cookies”

  1. Dan Q says:

    I’ve just knocked up an implementation of something a little like this, which I’ll put on my blog later this week. Regarding Dave King’s suggestion: web storage is specifically listed by the ICO as being “cookie-like”, so that’s specifically disallowed. However, this 301-approach isn’t specifically disallowed.

    It’s certainly against the spirit of the law, but it’d be hard to demonstrate it’s illegality in court, because it’s only the intent of the action (a plan to track) that makes it illegal to do without consent. Using 301s is perfectly legitimate (for now!), so it’s hard to detect or demonstrate that tracking is being done, and the 301-trick will slip by a lot of cookie-blockers and privacy filters.

  2. […] week I was talking to Alexander Dutton about an idea that we had to implement cookie-like behaviour using browser caching. As I first mentioned last year, new laws are coming into force across Europe that will require […]

Leave a Reply