Okay, you can probably tell there was a little sarcasm, there, but I’m not entirely kidding about, well, any of that. Cookies are inherently insecure, and they are one of the bits of tech used to track so very many things about us all over the Internet. Used correctly, there’s nothing really wrong with them, but implemented incorrectly, they can be a bit of a security risk.
Cookies are inherently insecure
Just like everything else in computing, really.
Well, someone in Europe got a bee in their bonnet, and now I have mobile ads loading under cookie notices on mobile sites, and I have to close five things just so I can see the content I came to see. Ain’t progress grand?
Well, most people would agree that these little notices aren’t terribly great for the general experience, aren’t good for usability, aren’t good for the aesthetic, and aren’t good for our mood as users. But short of the entire Internet pulling a Brexit (which would be both a terrible move, and hilarious from the outside), what can we do?
Just Don’t Use Them
Look, we’re all gathered here, Internet Advertising Companies (and pretty much everyone else) because we love you. We’re concerned about your health, your wellbeing. We just want what’s best for you. (What, the coke? Who cares?) We’re concerned about all the user tracking you’re doing. It’s a very serious addiction, even if it is mostly legal.
You just don’t need all that information about us. I know you think it’s interesting that I bought an air purifier, but what have you done with that information? You advertised more air purifiers. I’m not starting a damned collection. I only need the one. Same for my mouse cord bungee, okay?
There are millions of sites out there that don’t actually need cookies until a user actually creates an account
Being serious again, or perhaps for the first time in this article, you don’t always need cookies for everything. Why are you even using them on something as simple as landing pages? You only really need to know two things about a darned landing page: how many people are seeing it, and how many of those people are clicking the “send me newsletters forever” button. That’s it. That’s all you need.
There are millions of sites out there that don’t actually need cookies until a user actually creates an account, and starts setting up preferences. Even then, once the user is logged in, why would you store preferences anywhere besides your own server? You want users to sign up? Make them sign up in order to use the dark mode on your website. You’ll get all the personal info you ever wanted.
Okay, maybe don’t actually hold the dark mode hostage in exchange for an email address, but you get my point.
Alternatives to Cookies
Besides, if you really need to store user-specific data, and generally track your users, there are other ways to do it that, while probably subject to everything GDPR-related, are probably not covered under the cookie laws. I say “probably”, because taking actual legal advice from me would be like taking marital advice from Darth Vader. I have a general idea of the concept of “law”, but I’m terrible at lawyering in practice.
IndexedDB is literally a way to store database records on a user’s computer. That’s… that’s it. You can do that. You can also apparently encrypt information before you store it, which means you could potentially use IndexedDB for things like keeping users logged in while safely storing their username and password.
Web Storage came with HTML5, and is apparently not terribly secure. Perhaps you could, again, encrypt any sensitive information before you store it, but I haven’t actually found any articles on this as of yet. You could still use it to store some sort of anonymous user identifier, though.
There are ways to identify a user without actually storing data on their device at all. Using IP addresses in combination with browser user agents and other factors is one option, but perhaps not terribly reliable.
However, depending on the platform for your target audience, you have some interesting third-party options:
Advertising ID comes from Google, and literally tracks users by their Chrome browser installation and Android devices (Hi, Google!). Now, it’s not perfect from an advertiser’s perspective, because users can opt out of it. But then, that just makes me like it more.
IDFA (identifierForAdvertising) is Apple’s version of the same technology, and tracks iOS and Mac users. If you have something overpriced with no headphone jack to sell, this is your market. (Sorry not sorry.)
Then there are Statistical IDs, which is basically when advertising companies try to guess who is who based on statistical analysis. If I had to guess, I’d say they’re not bad at that. They still just have no idea what I actually want.
What I would give…
…to never see another one of those cookie notices: A pinky toe. A good amount of my dignity. I’d make tacos for every single EU politician. But I’ll be content if yall just think hard about whether or not you really need a cookie for whatever you’re doing, and consider one of the alternatives.
I’m in Mexico City now, if you want those tacos.
Featured image via Unsplash.