Visitor Tracking Without Cookies (or How To Abuse HTTP 301s)

The laws don't define cookies narrowly. Just because you're not using an http set-cookie header doesn't mean you've circumvented privacy laws. For example, UK law:<p><a href="http://www.aboutcookies.org/default.aspx?page=3" rel="nofollow">http://www.aboutcookies.org/default.aspx?page=3</a><p>6. - (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.<p>(2) The requirements are that the subscriber or user of that terminal equipment -<p>(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and<p>(b) has given his or her consent.

The more common way to do this is to stuff data in the ETags or Last-Modified date on a cacheable piece of content. This "hack" is at least a decade old, by the way.<p>Kissmetrics was actually using it in the wild for a while, but I think they stopped after there was a public outcry.

See also evercookie <a href="http://samy.pl/evercookie/" rel="nofollow">http://samy.pl/evercookie/</a>.

Demo site appears down, but I get the gist of it. It's just abusing browser caching.<p>Rather than a bunch of ad networks and analytics companies finding workarounds, I'd rather sites just stand up to this obviously flawed rule. It's ill thought out, and I have no plans to offer one of those annoying "Hey, this site uses cookies, just like every other site on the internet!" alerts.

This paper on browser fingerprinting shows that it is possible to identify a particular user, with reasonably high reliability, without using cookies or other tricks: <a href="https://panopticlick.eff.org/browser-uniqueness.pdf" rel="nofollow">https://panopticlick.eff.org/browser-uniqueness.pdf</a>

I agree with paulsutter - this does not comply with the law, nor do any of the hacky workarounds that I've seen mooted (except perhaps server side log file analysis - old school). I've added a comment to that site, which is awaiting moderation.

Is it just me being perfectionist, or does needing to OCD your cookie data down to census level indicate that maybe your business model needs a little work? Are there certain niches where this degree of tracking is really necessary?

Standard HTTP headers carry values that are distinct enough to uniquely identify most visitors: <a href="https://panopticlick.eff.org/" rel="nofollow">https://panopticlick.eff.org/</a>

Unless you want to get sued (<a href="http://www.extremetech.com/internet/91966-aol-spotify-gigaom-etsy-kissmetrics-sued-over-undeletable-tracking-cookies" rel="nofollow">http://www.extremetech.com/internet/91966-aol-spotify-gigaom...</a>), I would avoid doing this until the legal grey area surrounding non-cookie tracking is resolved. I suppose you might be able to get a user to "agree" to this if you have them agree to a ToS when they sign up, but even then I'm not too sure of that.

The irony with the demo... "Passager, rails deployments that just works" with a huge Error page showing security-sensitive stack traces.

Ironic that the first thing that site does is try to set a cookie in my browser. I denied it. Also, I have JavaScript turned off.

Why not just use localStorage instead of cookies?

As others have mentioned, this is old news. And this site should really be ignored as trash..."Scatman Dan"?

Can be done with ETags too.