Michael Horowitz

Defending IE7 from Google interest-based advertising cookies

March 15, 2009 10:33 PM EDT

Google just started testing a new tracking system that will display ads based on your web browsing history. The buzzwords for this are interest-based advertising, behavioral targeting and online behavioral targeting.

Google's introduction to the topic, Interest-based advertising: How it works doesn't sound threatening or invasive, but it may be the first step down a slippery path.

The browsing history that Google uses exists in cookies rather than the web browser cache. My previous posting, What are cookies?, provided an introduction to cookies. 

When fellow Computerworld blogger Preston Gralla wrote How to protect yourself against Google ad snooping he discussed the official line from Google about how to opt out of their new profiling scheme.  Over at PC World, JR Raphael covered the same subject in Google's Behavioral Ad Targeting: How to Reclaim Control.

That article has links to opt out pages for Google, Yahoo and Microsoft as well as a master opt out page for a whole host of advertising networks from the Network Advertising Initiative.

But this type of opting out just sets more cookies. In the worst case, Google requires you install browser plug-in software to insure their opt-out cookie never gets deleted.

Setting more cookies means you have to trust how these cookies are used. This is a Defensive Computing blog and trust is not part of Defensive Computing. So, I offer another approach. An approach to prevent the creation of cookies from ad networks (such as Google's Doubleclick) in the first place.  
 
For now, I'm focusing on Internet Explorer 7. The good news is that IE7 users can easily block third party persistent cookies (you did read that prior posting, no?), those also known as tracking cookies.

LET'S SEE THE COOKIES

It's possible to see the cookies that IE7 has cached, but the process is a bit convoluted and confusing.

In IE7, do Tools -> Internet Options -> Settings button (the one in the browsing history section) -> View Files button. In Windows XP this opens Windows Explorer showing the files in folder

C:\Documents and Settings\yourusername\Local Settings\Temporary Internet Files

In Vista the corresponding folder is

C:\Users\yourusername\AppData\Local\Microsoft\Windows\Temporary Internet Files

Sort by the Internet Address column and then scroll down to see the files whose names start with "cookie:".

That's the convoluted. The confusing comes from reading the IE7 Help file in Windows XP which says that

Cookies are stored in a folder named Cookies which is stored inside the Documents and Settings folder. By default, the path is C:\Documents and Settings\your user name\Cookies.

Sure enough, on Windows XP, there are cookies here too. Beats me why they are stored in two places.

Under Vista, the IE7 help file says nothing about where cookies are stored. Perhaps this is because it varies depending on whether protected mode is on or not. With protected mode on, cookies are stored in: 

C:\Users\yourusername\AppData\Roaming\Microsoft\Windows\Cookies\Low 

DELETING ALL COOKIES

If you hate cookies, start IE7 and do Tools ->  Delete Browsing History -> Delete cookies button. It says it will delete the cookies in the Temprorary Internet Files folder and it does. But on XP it also deletes the cookies in the C:\Documents and Settings\yourusername\Cookies  folder.



I think this is overkill, since all cookies are not bad. But, reasonable people can disagree. Firefox users are no doubt gloating here. Firefox v3 can delete all cookies automatically when it is shut down (Tools -> Options -> Privacy tab), a feature that IE7 does not offer.



BLOCKING THIRD PARTY COOKIES

The cookie accepting/blocking rules in IE7 are available at Tools -> Internet Options -> Privacy tab.

Someone unfamiliar with cookies can simply adjust the high/low/medium slider and hope for the best. However, there is too much trust involved here for my Defensive Computing tastes. Using the slider entails trusting Microsoft to have correctly documented what each setting does and that there are no bugs in the implementation. It also means that Internet Explorer has to correctly understand the intent of different cookies using a process that's not documented at all. I think not.  

The Advanced button offers a manual override.


Turn on the checkbox to "Override automatic cookie handling". Accept first party cookies and block third party cookies. Turn on the checkbox to "Always allow session cookies". Click the OK button. That's it, you're now much better defended from tracking cookies.
 
I mentioned in the previous posting that the home page of The New York Times included cookies from  advertising.com, atwola.com, bluestreak.com, doubleclick.net and tacoda.net in addition to nytimes.com. To see the effect of blocking third party cookies, I deleted all cookies, shut down IE7, restarted it and visited a few pages at nytimes.com. The only cookies that existed were from nytimes.com. The ads still display, but their corresponding cookies are rejected by IE7.

The Google behavioral targeting is a big deal because their AdSense system places ads on so many websites. Thus their tracking cookies can provide a better browsing history than another company whose cookies appear on fewer sites.

Blocking third party cookies, as described above, defends against Google ads. I tested this by clearing all the cookies, then visiting a website with Google ads. The website only created a cookie for itself, nothing else. Previously the same site had created multiple cookies.

NOTIFICATION OF BLOCKED COOKIES

There is an easier way to see the fallout from blocking third party cookies.

Internet Explorer 7 has a blocked cookie icon (see below) that shows up on the status bar at the bottom of the browser window when it blocks cookies. 



If the icon is displayed, you can double click it to see which websites were prevented from writing cookies.


 

GOOGLE AD PREFERENCES

In Preston's posting on protecting yourself against Google ad snooping, he mentioned the Google Ads Preferences page. This page works, even with third party cookies disabled. I played with it a bit and found quite a few bugs. In fairness, this is a beta system, but it seems to have been rushed out the door.

My testing seemed to show that the end result of setting preferences was a doubleclick.net cookie rather than a google.com cookie. I found it interesting that even with third party cookies blocked, a page at google.com was able to create a doubleclick.net cookie. That's not good.

BLOCKING WEBSITE COOKIES

Fortunately, there's a fix. Internet Explorer can block cookies on a site by site basis.

There's a Sites button on the Privacy tab that controls this. It opens the window shown above. Enter "doublick.net" as the "Address of website" and click the Block button. This tells IE not to accept any cookies from Doubleclick.

You can verify this by returning to the Google Ads Preferences page. It will now, incorrectly, object that cookies are disabled. They're not. What is disabled, are cookies from Doubleclick.



If you're a Gmail user, fear not. Even with third party cookies and Doubleclick blocked, Gmail works fine.

For more on the overall situation see The Shady Ways Advertisers Track You Online over at Fast Company.



Update March 17, 2009: Computerworld today carried a story about a modified version of Google's web browser plugin, Browser add-on locks out targeted advertising. The modified plug-in, created by Christopher Soghoian, inserts opt-out cookies for 27 different advertising networks.

In my opinion, this is an inferior solution to blocking the cookies in the first place. It's throwing more cookies onto the fire and requires you to trust how these additional cookies are dealt with. In fact, you have to trust 27 different companies. As I said in this posting, there is no trust in Defensive Computing.

Older Post: What are cookies?