Tracking without cookies


During a session at IDP 2011 (conference on Internet, Law and Politics) in Barcelona I started thinking about the issue of opt-outs / opt-ins for tracking cookies. If we were to imagine a situation where most people reject tracking cookies – which would be nice – then those who are interested in tracking users would have to resort to other methods.

I just came up with one.

I haven’t seen this before but it’s fairly obvious, I’m sure that there are dozens of variations on this theme or even much better approaches. By “better” I mean “more effective”, not necessarily nicer – violating people’s privacy is not nice.

First, create a hidden containing a bunch of links, to, for example,, with X equals numbers from 1 to 33. 33 is enough because 2^33 is greater than the number of humans (by about a billion), but you might want to add more links. The is hidden using the display:none CSS directive.

When the page is loaded a Javascript on the page checks each of them in sequence to see if they’ve been “clicked”, by reading the “visited” property. If none of them have been clicked, send request to server (over AJAX) which sends back a number (between 1 and 2^33). That number is decomposed and certain links opened in hidden s based on the number (binary expanded to figure out which links to click).

From now on, when the page is opened (until the user clears browsing history) the relevant links will be marked as “visited”, so the script will figure that out and send a unique ID code back to the server (over AJAX). Anything which is relevant to the identity of the user is then sent back.

This is of course a terribly convoluted way of tracking people, but for the purposes of the exercise it is sufficient. It’s easily thwarted by clearing browsing history, but a lot of users aren’t going to do that.

What this highlights is that banning tracking cookies isn’t sufficient. Banning tracking generally probably isn’t either, as it’s an arbitrarily complex problem.

Just a thought.