A few days ago Mikkel deMib Svendsen from Denmark published a blog post — which has already gone “hot” on Sphinn — where talking about Samy Kamkar‘s EverCookie he expressed concern for the future well-being of affiliate marketing as a whole. Here’s an excerpt:
Normally if you set a “permanent” cookie it can relatively easy be deleted. …With EverCookie multiple cookies are set. Currently Sammy’s EveryCookie support 10 different types of cookies!
The real smart thing about EverCookie is not just that it sets 10 cookies. Theoretically you could go through each of them … and delete them. But that won’t work with the EverCookie because as long as just one cookie is left this is used to set the other 9 cookies again…
If you are working in the affiliate space you can probably see the problem with this type of cookie. Basically, if I, as an affiliate of your company, can set an EverCookie on users no other affiliate will ever be able to overwrite it. The EverCookie essentially override the standard that most merchants and affiliate networks use where the last affiliate partner prior to a sale gets the commission on that sale. …Of course this will really upset all your other affiliates…. It could potentially kill your entire affiliate program — or affiliate network. At least if you don’t deal with it — fast and efficiently! [full post here]
Sounds scary, doesn’t it?
Well, working in the affiliate space myself, I actually do not see any reason for concern. If the news of EverCookie came coupled with a news that a major affiliate network decided to switch to EverCookie(s), that would’ve been a totally different situation. However, the way things look right now, there really is nothing to “deal with”.
As someone has already pointed out in the comments to Mikkel’s above-quoted post, cookies set by affiliates through affiliate program links are third-party cookies (as opposed to first-party cookies that affiliates themselves may be able to set). So there is absolutely no way for “an affiliate of [a] company” to “set an EverCookie on users no other affiliate will ever be able to overwrite”.
In addition to this, a good observation was made by David Bullock, Vice President of Technology at OneCoach. There actually is a context within which EverCookie may become problematic, and here’s Dave’s description of it:
EverCookie is the program/code that sets the cookies, and recreates them if some are missing. It has to be run from a website.
In order for the cookie to be regenerated, the EverCookie script has to be run again, the same situation as if the visitor revisited the Affiliate A’s site after getting a new cookie at Affiliate B and overwrote it with a regular cookie.
The only way this would be an issue is if the Merchant (not a rogue affiliate) regenerated the dormant affiliate cookies and overwrote the last legitimate cookie with an old EverCookie record. That would be very easy to spot since the merchant would have to be running the EverCookie scripts on their site.
So, technically it is possible for a merchant to start using EverCookie to overwrite “the last legitimate cookie” of an affiliate, robbing the latter of the commission that is due. But then again… this by no means kills affiliate marketing, because as soon as an affiliate network (or an affiliate) spots such merchant behavior, it’ll be brought to light (with all natural consequences). And no serious merchant wants that.
Geno, thank you for much for the mention. This is a topic near and dear to our hearts. We not only use affiliate programs, but many of our business coaching and momentum customers do as well and they will be coming to us for information on the topic.
– David Bullock
OneCoach
Sure thing, David. I’ve found your comments really well-thought-through, and worth the quote. Great points raised. Thank you.
I don’t see it potentially causing a problem from an overwriting perspective at all. Affiliates don’t set the cookies, the networks or in-house tracking program set the cookies. The normal way for most systems to track the last click is to overwrite the existing cookie with the new affiliate information anyway. That new cookie would then become the EverCookie.
Cookies can only be read by their domain, so even if an affiliate set a bogus cookie, the network wouldn’t read that cookie, but the network cookie instead. Most networks have built-in systems for identifying bogus generated cookies anyway (click info is in the cookie as well to correlate in their databases).
The real issue about EverCookie is on of privacy. It’s not cool to thwart consumers efforts to delete their cookies is they so desire, especially with cookies associated with some kind of tracking. There are currently several class action lawsuits pending over this very thing for Flash Cookies and their regeneration ability and difficulty to remove. The outcome of those suits may prove to be problematic for the networks using Flash cookie tracking (and there are some rather large networks using them).
If you look at how EverCookie is achieved, it’s by placing all these cookies in all kinds of places where cookies aren’t meant to be and exploiting other systems (like the Flash cookies).
It’s asking to get a big privacy slap upside your head & it’s very short-term thinking. These are the kinds of things that make security companies do their blocking thing.
Kellie, excellent input, as always. I agree that there is a huge issue of privacy here. It’s somewhat outside of my main topic, but glad you’ve touched upon it.
…and I’d highly appreciate you emailing me the info on the lawsuits over “Flash Cookies and their regeneration ability and difficulty to remove”.
So, the biggest issue with cookie regeneration and I believe the target of the flash cookie lawsuits isn’t so much with your run of the mill website.
It’s also important to note that EverCookie isn’t anything new. The same techniques are in use by the big players, Evercookie was maybe just the first opensource version made widely and publically available. It highlighted the existing problem, not invented it.
The problem is with the ad and analytics companies such as Microsoft, Google, DoubleClick (acquired by Google), Omniture, Facebook, etc. Incidentally Omniture is especially sneaky in that their cookies are belong to a 2o7.net domain that is harder to trace back to Omniture. Check your browser for 2o7.net cookies, they’re in use on MANY sites and email tracking campaigns.
These companies have banner ads, analytics snippets, and widgets like the Facebook like/login buttons and other elements that are implanted on other company’s websites that allow them visibiltity on everything those website’s visitors do.
By employing hard to eliminate, regenerating cookies these companies can remotely monitor almost every move you make on the web. They use this accumulated information to better target the ad displays you see or to sell your demographics and more importantly your psychographics to other companies.
We teach that psychographics are FAR more valuable on the internet than demographics. Demographics is who you are, where you live etc. Psychographics is what you WANT, and it can be derived from your browsing history.
This is in contrast to most of us who operate our websites and who cannot “see” beyond our borders and who can’t do much more with our cookies than identify returning visitors, or save preferences.
While this data is almost always sold in bulk and is not intended to carry any PII (Personally Identifiable Information), it’s been shown several times that this information can be de-anonymized if you gather enough/right information.
For reference Netflix and AOL have both stopped supplying anonymized research data after it was proven that 3rd parties could de-anonymize it.
And for the anti-privacy people out there, the question isn’t “what are you doing that you have to hide” or some tired morality play about web porn, the question is: who’s looking at your data and making judgments and decisions about you that may affect you, that you don’t know about or have any influence over? Are they the right judgments? And, since you don’t know about them, how can you correct them?
– David Bullock
OneCoach
I think bigger merchants will never use evercookie.
Maybe you spotted news about legal action on zombie cookies:
http://www.bbc.co.uk/news/technology-10787882
I think it is against privacy if application recreates cookie you already deleted and I would not risk it just because of one not correctly assigned sale to right affiliate.
I own company, which develop affiliate software and when we looked for average behavior of customer, most of sales are done within first day after first click on affiliate link … it is too short time to be afraid, that visitor will delete all his cookies before he makes purchase.
Geno: Excellent post, and thanks for sharing your thoughts.
I was also pleased to see Kellie and David make their comments on the larger scope of the issue, which is not affiliate marketing related, but rather an issue of good business practice versus bad business practice.
Anyone involved in online marketing knows that the WSJ (Wall Street Journal) and some other media outlets have been reporting on, or misrepresenting the purpose of, cookies for a long time now. They have been demonized since the public became aware of them.
I think the key phrase we should all remember is this:
The data belongs to the end user. The PC belongs to the end user. We, as marketers, should NEVER do anything that has immediate or long term negative impact on the consumer.
The Web Analytics Association directly speaks to this in the proposed new Code of Ethics: http://waablog.webanalyticsassociation.com/2010/09/web-analytics-code-of-ethics.html
So for me, there is absolutely NO REDEEMING QUALITIES to this cookie whatsoever
Thank you for chiming in with your thoughts on the topic, Kevin. All of you (yourself, Kellie, David, and Viktor) are bringing up a very important point: the technology of cookie-regenerating scrips puts such solutions beyond the line of what’s acceptable. Once again, thank you all for expressing your opinions on the topic.
Insightful report on the issue.