I was out on the monthly schnitzel night last night, a periodical gathering of former IMW employees, where we drink beer, eat pork and talk about, amongst other things, the search industry.

JP Jones, former CTO at buy.at Leads, handed me his well used iPhone (he got his hands on it seemingly before Steve Jobs managed too!) on the screen was an email, a press release from Affiliate Future detailing a miraculous but somewhat secret technique of tracking users without cookies.

I find it hard to avoid a challenge, especially one implying other people in search thought of something before me, so I made the promise that I would have this figured out by the end of the following day. I have.

As we all know cookies are evil, so tracking users without them is a good thing, right? Well, not really. Not at all in fact, for a start cookies are not in the slightest bit evil. Yes, they track users, but when you actually think about it, that’s pretty essential. Anti spyware applications block cookies in the name of your ‘privacy’, but this is just utter nonsense they pedal in order to generate a faux “need” for their products. Ok, don’t take that as me saying spyware is not real. It is, and it’s bad, but cookies are not spyware, they are not a violation of your privacy and they do make the internet a much better place to work and play.

So, how is Affiliate Future’s unique and indeed patent pending (which by the way will NEVER stick) tracking system better? In short, it isn’t. It’s worse.

What AF have done is very clever, but it’s just as “intrusive” as a cookie. It still tracks the user across the internet in exactly the same fashion as the common garden cookie, but they do it by employing a devious, although admittedly clever hack. Unfortunately, it’s the same sort of hackory and bending of standards that real spyware writers employ.

Entity Tags, the new cookie?

Busy websites MUST employ some sort of caching system. They need a way to identify if a user has already downloaded a certain file, and then tell them to use that already downloaded version rather than use up bandwidth fetching the exact same content again. A header image or javascript file would be a perfect example of data you would want to be downloaded as little as possible. For very large websites this can save a fortune in bandwidth bills and server/admin requirements.

The “old” way of doing this was by issuing an expiry date for the content (file), and if that date had passed, then browser would request a new version. There are some problems with this method and so the powers that be came up with Entity Tags, or ETags.

Avoiding the essentially unimportant technical implementation, ETags are small chunks of text that uniquely identify a particular file, not by it’s creation date but by it’s content. Something like an MD5 hash would be employed to create a unique reference to the file content.

Upon the first visit, the users browser has no ETag for the file it’s requesting, and so the web server sends it the file, along with the ETag. The users browser then saves this ETag on the local computer, just like a cookie. The next time the user visit the webpage, the browser recognises that it has an ETag for that page, and so when requesting the page it says ‘here is my ETag, is that valid?’ The web server compares the unique identifier supplied by the users browser to the the current version of the file existing on the server. If the ETag matches, the server simply says ‘you already have that content, use your cached version’. If the ETag does not match then the server let’s the browser know and sends the new content, along with the new ETag.

Now, it is possible, as with all HTTP headers (which is what a cookie is) to manipulate (read and write) the data sent. So, instead of of sending a unique identifier for a file, Affiliate Future are sending a unique identifier for that particular user. JUST LIKE A COOKIE.

When the user revisits that site (or any other that includes that ‘trigger’ file) AF intercept the ETag, which instead of being used properly to optimise caching operations, now tells them who the user is.

While this is clever and I really do have to respect their outside of the box thinking here (bravo chaps!), it’s absolutely no better off for the privacy privy user, it still tracks them in just the same way, but anti spyware application users, and users with cookies turned off will be tracked, even though they blatantly don’t want to be. This is a bit of a middle finger to consumers who are, albeit naively, concerned about internet tracking.

Great news for affiliates then, right? They get more tracked sales, brilliant!

Perhaps – in the short term. ETag is not supported in anything but the newest of browsers and now this “technology” has been made public by AF, privacy advocates and anti spyware vendors everywhere will be very quick to jump into action and create ETag filtering plugins for browsers. This might be a route to slightly more tracked sales, but it is without doubt a temporary one.

Essentially what this hack has shown is that ETags can be abused, and if this means people start turning them off (if the option becomes available) then the bandwidth bill for large websites is going to rise, and they’re going to have to pass that cost along to us, the consumers.

Tags: Affilates, Affiliate Future, Cookie free tracking

This entry was posted on September 9, 2008 at 3:08 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Posted in Search & PPC by admin 4 Comments