Using Zombie Cookies to Improve Privacy?

Posted by & filed under Privacy.

Before starting this post, I want to point that this blog is for debate purposes only and Tealium does not use any ETags or Zombie Cookies.

There’s been a lot of news lately about the use of various techniques such as “local shared objects” or “HTML5 cookies” in order to re-spawn deleted cookie and bypass the consumer’s choice to opt out. These are sometimes referred to as zombie cookies. We at Tealium do not condone such practices and believe that consumers should have the choice to opt out if they want to. However, this post is not about the philosophical debate and there’s been a tremendous amount of discussions already on the topic. An example can be found here.

The topic that we feel has not been discussed is how these same re-spawning techniques can be used to actually improve consumer privacy. That’s right. Zombie cookies can actually be good for privacy.

Before I continue, I want to point out that there are two kinds of opt-outs today. The first is using the new “do not track” headers within new browsers. This is something that many vendors already support. Customers of Tealium for example can take advantage of Tealium’s support in this area to improve the privacy of their visitors.

The second method – which is more traditional – is to allow consumers to opt out of specific tracking. For example, a consumer may decide to be tracked through analytics tools but opt out of behavioral targeting.

Opt-outs are flawed

The problem with today’s opt-out mechanism is that they’re inherently flawed. Here’s why:

When a visitor opts out of a service, an “opt out” cookie is added to the visitor’s browser. The vendors’ scripts or tags look for the “opt out” cookie. If no cookie exists, then the tracking is continued. If an “opt out” cookie exists, the service stops the tracking. Because these services rely on cookies for opt out, when a visitor deletes their cookies, the visitor has effectively just opted back in.

Opt-outs require a more permanent state

The problem with today’s opt-out mechanism is that it is only temporary and stops functioning the moment visitors delete their cookies. The industry needs a more permanent way to allow people to opt out. As discussed previously, the browsers have come up with their solution in the form of “do not track” headers. The problem with these headers is that they’re an “all or nothing” proposition and do not provide visitors with the ability to opt out of only a category of trackers.

What if the industry started adopting some of the same zombie cookie techniques in order to provide a more permanent opt out mechanism? The same technology that is used in some instances to re-spawn tracking cookies can be used to re-spawn “opt out” cookies.

Remember, it’s not the technology but the application that matters. By using the same techniques, digital trackers can actually provide a more permanent opt out mechanism to consumers and better respect their request.

As of the writing of this post, we know of no tracker using such techniques for opt outs and we’re not recommending that vendors do so. But what do you think? Do you think that this technology should be used to provide a better privacy or do you think the industry should completely stay away from such re-spawning techniques?

My personal belief is that if a technology can be used to provide a valuable service to consumers, then it should be used.

And with that said, Ty – tag you’re it.

About Ali Behnam

Ali is the Co-Founder and President of Tealium. Prior to co-founding the company in 2008, he held several senior-level positions at WebSideStory (now Adobe Systems), Visual Sciences, and Omniture. He joined WebSideStory in a product management role where he managed the company’s enterprise level products, and later joined the company’s professional services team managing strategic clients. Ali holds an MBA from UCLA Anderson School of Management.

by Ali Behnam
Co-Founder, President
1 comment