this post was submitted on 05 May 2024
66 points (100.0% liked)

Privacy

31939 readers
660 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Yo peeps, I'm currently looking into TCF Vendors, Ad partners and their whole corporate greed hellhole of tracking. I am writing a paper on this, and would like for everything to be factually correct. However, I am struggling to understand one particular part of this "transparency framework" and hope someone can help me clarify on cookie-duration.

As seen in the first thumbnail, the cookie duration is listed as 180 days. However, upon selecting > Storage Details, each cookie is displayed in further detail. In this detailed section, there are additional cookies with duration as high as 1825 days, not 180... So which is it? Currently, I'm (obviously) assuming the worst, as in, it being 1825 and not 180 days. There are additional cookies on this list, see spoiler below, that have cookies with the duration of 180 days. Why are the cookies with the highest duration listed on the first page? And if the answer is that "it would look worse", then they also have cookies with lower amount of days than 180 that could have been used. There are multiple cookies with different durations, do all of them count?

If needed here is a spolier that includes all the cookies in detail from the Exactag GmbH vendor.

SPOILER

Exactag GmbH - Storage details

Name: exactag_new_adoptout
Type: Cookie
Duration: 1825 (days)
Domain:
Purposes:
Store and/or access information on a device
Refreshes Cookies: No

Name: exactag_new_ccoptout
Type: Cookie
Duration: 1825 (days)
Domain:
Purposes:
Store and/or access information on a device
Refreshes Cookies: No

Name: exactag_new_optout
Type: Cookie
Duration: 1825 (days)
Domain:
Purposes:
Store and/or access information on a device
Refreshes Cookies: No

Name: exactag_new_cpv
Type: Cookie
Duration: 1 (days)
Domain:
Purposes:
Store and/or access information on a device
Measure advertising performance
Measure content performance
Refreshes Cookies: No

Name: exactag_new_gk
Type: Cookie
Duration: 60 (days)
Domain:
Purposes:
Store and/or access information on a device
Measure advertising performance
Measure content performance
Refreshes Cookies: No

Name: exactag_new_uk
Type: Cookie
Duration: 180 (days)
Domain:
Purposes:
Store and/or access information on a device
Measure advertising performance
Measure content performance
Refreshes Cookies: Yes

Name: exactag_new_user
Type: Cookie
Duration: 180 (days)
Domain:
Purposes:
Store and/or access information on a device
Measure advertising performance
Measure content performance
Refreshes Cookies: Yes

Name: session_session
Type: Cookie
Duration: Uses session cookies
Domain:
Purposes:
Store and/or access information on a device
Measure advertising performance
Measure content performance
Refreshes Cookies: No

Let me know if any additional information is needed.

all 18 comments
sorted by: hot top controversial new old
[–] [email protected] 24 points 6 months ago

Don't mind me, I'm just a cookie who wants to store your information for 9993 years....

[–] [email protected] 9 points 6 months ago (1 children)

It's not well explained for sure but judging by the names of the cookies I bet those store the consent (opt in/out) values for the other tracking options. Another way of putting it would be those are functional cookies related to the cookie consent form itself so that you don't have to re-select consent options every time you visit the site.

[–] [email protected] 1 points 6 months ago (1 children)

Ah indeed possible, I have seen some cookies with names such as "optout", but this is not always the case. But does that mean people who DO NOT consent still get a cookie, but a different one without tracking and sorts...?

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

Yep exactly that, it'll be a cookie (not a tracking cookie, which would require some kind of unique ID) that will be set to ensure the website doesn't show their consent banner every time—i.e. remembering the results of your refusal of tracking consent.

[–] [email protected] 1 points 6 months ago (1 children)

Well this is good to know, and also means i have to run through my numbers again... Am currently checking all the data 198 different vendors are asking for... its an extremely tedious process :<

[–] [email protected] 6 points 6 months ago (1 children)

there are additional cookies with duration as high as 1825 days, not 180... So which is it?

Whatever the browser reports is what they are actually doing.

In Firefox, enter the developer tools, navigate to the "Storage" tab and open the "Cookies" dropdown. For any given domain you can now look at the "Max Age" or Expiry date.

[–] [email protected] 3 points 6 months ago

Neat - thanks :)

[–] [email protected] 2 points 6 months ago (1 children)

Additionally, there are vendors that claim they dont use cookies like seen here; However again when clicking on >Storage Details, it reveals two different cookies, with a cookie duration of 728 days, with a the purpose "store and/or access information on a device". HOW IS THIS NOT A COOKIE THEN?

[–] [email protected] 3 points 6 months ago (1 children)

As a guess I would say that means they don't set cookies themselves, they do use cookies that are set by different services.

Which would be a nice way for them to not have legal responsibility.

[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

But if not themselves then who? There are no additional parties/companies/vendors listed within these cookies as far as I can see at least, and im pretty sure they do need to be listed? Also these companies are the tracking companies, so it would be weird if it wasnt them. As far as I understand it atleast.

[–] [email protected] 1 points 6 months ago (1 children)

I can't visit them directly (they are on 5 different DNS block lists). Looking at Internet Archive I would say it's cookies set by Google, probably through Firebase Analytics, maybe AdMob.

[–] [email protected] 1 points 6 months ago

I assume that when you say "them", you tried to visit the hompage of Pixalate? But it sounds about right actually, the app I am investigating have the following trackers implemented;

  • Adjust
  • AppsFlyer
  • Google AdMob
  • Google CrashLytics
  • Google Firebase Analytics
  • Yoadx
[–] [email protected] 1 points 6 months ago* (last edited 6 months ago) (1 children)

while I am by no means an expert on this, my gut tells me that this is probably something to do with "nessecary" cookies vs advertising & tracking cookies. its a common loophole for other policies so I wouldnt be surprised if they had some way of circumventing the normal limitations for tracking because of "fraud protection" or the likes.

looking at the cookie descriptors, all of the 1825 day cookies are used to "store &/or access information on device refreshes". the shorter cookies are the only ones that also mention "measuring advertising & content performance".

[–] [email protected] 1 points 6 months ago (1 children)

Made the spoiler data/cookies more readable now.

Thanks for your input, but not sure what you meant with your last sentence, could you clarify?

[–] [email protected] 1 points 6 months ago (1 children)

thank you 🙏

I meant that if you look at the "purpose" section of each cookie the ones that are older than 180 days are the only ones that dont mention advertising. thinking they may be related to the "nessecary" or "required" cookies that some websites have. I would presume they have their own or altered version of the other cookies policies since they have different purposes.

apologies, I worded that poorly before.

[–] [email protected] 1 points 6 months ago (1 children)

Ah I see now. I do think this will vary a lot from vendor to vendor and cookie to cookie though. The one I included was only a random one out of 198 different ones. Other cookies I've read through will have ad-measurements and tracking for 3000+ days too :<

[–] [email protected] 1 points 6 months ago

oh I see interesting. seems like blatant malpractice to me. good luck on your paper o7