Privacy in a Cookieless world? Server to Server tracking explained

Has this ever happened to you? — Your relative, friend connection, acquaintance, network…. starts seeing Ad content for products you’ve been looking at? No more surprises aye! As we move away from Cookie tracking, and towards Server to Server tracking, let’s not lose track of the most important thing. Privacy.

This scenario keeps happening to me and my wife! Seriously, no more birthday surprises. It happened today, and was so clearly connected — as I explained to my wife how it works — I couldn’t resist staying up a little later to explain it here.

The scenario: I’ve just been browsing a food delivery app to order a takeaway. 2 mins into looking, my wife stopped me and said have I been looking at [insert restaurant name] as it is now showing across her social media feed! Yes I had.

The reason: Server to Server tracking. (Disclaimer. Ok, I’m not 100% sure this is the reason, but given my knowledge of web tech I’ll be making a few assumptions in this post).

Let’s quickly brush up on the definition of a (feel free to skip this bit)…

Server

Apologies in advance, I’m going to explain this as simply as possible… When we use the term Server, just think of the ‘Cloud’. A place — we call it a data center — holding lots of information away from your computer (websites, photos, music, data…etc).

Your browser lets you access Server information, you are doing it now by loading this website, or earlier perhaps you were “streaming” music. We also send information to the Server, you do this when you sign into the website so the Server knows who you are. If you are using an app on your phone, just think of it in the same way I’ve described a browser — loading data in / sending data to / storing data from a Cloud Server.

Cookies

Now, Cookies. They are not stored in a Server. They can transfer information to and from the Server, but they are stored in your browser (or app). This is why Cookies are said to ‘track’ you across websites, because they exist on your computer. In reality there is a little more to this (e.g restrictions by domain), but let’s go with it, Cookies won’t exist for too much longer anyway!

“Yay, the Cookieless world is coming. So now I can’t be tracked? Right?” Not quite. Instead, your activity will now be shared with, and tracked across, the Servers hosting the websites and data. So your activity can now be seen and tacked across each device you use. Eeeek.

Photo taken by me — Not all Cookies should go :)

Now…

Server to Server Tracking

In a lot of the websites and apps you use today, you are “logged in”. This allows the website to send a ‘unique identifier’ to the Server — something unique to you e.g your email address. It will likely be ‘coded’ — so that it can’t be recognised or understood by anyone but remains unique to you. In some — very yucky — services they may attempt to ‘finger print’ you based on a combination of your computer / phone / browser / location… to create that ‘unique identifier’.

Let’s revisit my initial scenario…

1. I see an Advert for a restaurant on my laptop. My ‘unique identifier’ gets sent to the Ad Server. The Ad service now knows I’ve seen this Advert.
2. I then use a food delivery app on my phone. I ordered food from the restaurant in the Advert. My ‘unique identifier’ gets sent to the Ad Server to let it know.
3. The Ad service knows the Advert worked. This is called a Conversion. Who needs Cookies!

Hang on, that’s not the initial scenario. What about your wife seeing the Ad?

Similar audience targeting

Image Source — Talent management vector created by pch.vector — www.freepik.com

Now this is where it gets interesting. The Ad Server doesn’t just collect my ‘unique identifier’ at these opportunistic points in time, it also builds up a profile of ‘life data’ along with it based on my network, connections, and content I’m visiting. This could include my sex, location, age, life events, spend, children and on and on.

Using this data Ad Servers can do things like — show you Ads to remind you about websites you’ve visited (this is called remarketing); build lists of relevant Ads to send you (this is called similar audience lists — based on what other folk — similar to you — are reacting to); or even predict (check out my — Structuring data to predict the future — blog) what you are most likely to do.

Now let’s revisit my initial scenario (not what I assume is happening)…

1. I use a food delivery app on my phone. My ‘unique identifier’ gets sent to the Ad Server, along with information on what restaurants I’ve been looking at.
2. The Ad Server uses the data it has on me, to put the restaurant’s Ad into a similar audience list. My wife is also in this list (which makes sense given our ‘life data’ is aligned). I always wonder if the Ad Server knows we are married — given it’s a setting in the social media app ¯\_(ツ)_/¯ .
3. My wife is browsing her social media website feed on her laptop, and sees an Ad for the restaurant I’m looking at.

And after that I still ended up ordering from the restaurant 😬. Not because of my wife seeing the Advert, it was what I wanted to eat… I think 🤔.

A note on Privacy

Image Source — Private vector created by jcomp — www.freepik.com

Server to Server tracking. Improving “on target” Ad tracking, the ability to create more accurate lists of user groups, and track across devices. No more surprises.

So… is moving to a Cookieless world improving our Privacy? Comments below. Thanks for reading.