Criteo and AdRoll, the Web’s Cookie Monsters

If you shop on the web as much as I do and you use Safari, you’ve probably come across this notice sliding into the bottom of your browser window:

Your browser blocks some 3rd party cookies by default. By clicking on this page you allow our partner Criteo to place its cookies and serve personalized ads. You can read more or disable Criteo ads here. This notice only appears once.

I’ve seen this banner on the websites of retailers ranging in size from boutiques to major brands, and it seemed a little bit fishy to me with its super careful wording. So I did a bit of digging.

Let’s unpack that statement a little bit at a time. First, who is “[their] partner Criteo”? To get a complete picture of exactly who Criteo is and what they do, I started where anyone would — on their about page:

Unlike the vast majority of the market, we use a transparent cost-per-click model and we measure value purely on post-click sales. This demanding model is supported by ongoing, automated learning of each shopper wherever they are in mobile apps or online, along with your campaign’s performance against thousands of variations of dynamically-created ads.

Criteo are, in short, an advertising technology firm with a retargeting product. That’s nothing particularly special; there are dozens of companies that do that, as amply demonstrated by this aneurysm-inducing chart.

But Criteo has another trick up their proverbial sleeves. At the end of 2013, they got some press for a feature dubbed their “mobile web solution”. Judith Aquino of Ad Exchanger explains:

Similar to their desktop counterparts, mobile browsers handle first- and third-party cookies in different ways. Google’s mobile Chrome browser, for example, allows all cookies by default and allows users to switch to more restrictive options. Apple’s mobile Safari browser accepts cookies from sites users have visited (i.e., first-party cookies) and blocks third-party cookies by default, though users can change their privacy settings.

And while Mozilla announced early this year that it was experimenting with blocking third-party cookies from its mobile Firefox browser, the company has since delayed this plan.

[Chief product officer Jonathan Wolf] declined to discuss in detail how Criteo navigates the browsers’ various criteria but pointed out that after releasing its mobile web solution to a handful of customers in late September, the company claims to have delivered “at least two billion” mobile ads among 20 countries.

This, rather conveniently, brings me to the first sentence in that notice you see when visiting a Criteo-enabled website: “Your browser blocks some 3rd party cookies by default”. As Aquino explained, different browsers treat cookies differently by default. Safari and Mobile Safari behave a little differently than Chrome or Firefox by default, in that they disallow third-party cookies other than those from sites navigated to by the user.

For example, if you’ve never visited in Safari but you read a news site that has a Facebook “Like” button, Facebook will be unable to set its cookies. If you have visited at some point, it will be able to set cookies via that news site. Other browsers behave differently by default, insomuch as they will allow Facebook to set cookies via that news site, even if you’ve never visited Facebook.

This default setting presents a problem for Criteo. While an average user can be expected to have visited Facebook at some time in their browsing history, almost nobody will knowingly visit or their ad server addresses. Furthermore, while desktop Safari does not represent a significant share of the global web browser market, Mobile Safari does. For Criteo’s ad targeting platform to work, they need to be able to set a cookie, and Safari is configured by default to disallow this behaviour — unless Criteo somehow forces users to visit their site.

And that’s the next part of that notice:

By clicking on this page you allow our partner Criteo to place its cookies and serve personalized ads.

Criteo relies upon a couple of small pieces of JavaScript to work. As with most scripts on the web — particularly those from companies that collect and process visitor data — it’s compacted and obfuscated, which makes it a little tricky to read.

Here’s what happens: when visiting a site that includes Criteo’s scripts, a bit of browser sniffing happens. If it’s a Safari variant — and only Safari — Criteo rewrites the internal links on the page to redirect through their domain, and it looks something like this:

The user is then sent to their intended destination page, and Criteo’s cookies are allowed to be set. All that’s needed is that split-second redirect for the first link clicked on the site.

Before I continue, I’d like to be perfectly clear: there’s nothing inherently nefarious about cookies, even those from third parties. They can be used to set language settings, store shopping cart data, or provide other services on a user-specific level.

But what Criteo is doing here is in direct violation of Safari users’ browser settings, whether they’re set explicitly or by default.

If this feels like deja vu to you, you’re not wrong. Between 2011 and 2012, Google did its best to work around Safari’s default privacy settings, too, according to the Wall Street Journal:

Last year, Google added a feature to put the +1 button in ads placed across the Web using Google’s DoubleClick ad technology. The idea: If people like the ad, they could click “+1” and post their approval to their Google social-networking profile.

But Google faced a problem: Safari blocks most tracking by default. So Google couldn’t use the most common technique—installation of a small file known as a “cookie”—to check if Safari users were logged in to Google.

To get around Safari’s default blocking, Google exploited a loophole in the browser’s privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.

Google settled this case last year for $17 million and increased oversight, without admitting any wrongdoing.

Criteo is not the only company circumventing Safari’s default restrictions — indeed, the Journal report cites a few other advertisers that used similar methods as Google. The comparison is particularly strong; Criteo also appears to explicitly target Safari users. I disabled third-party cookies in Chrome and Firefox, then visited sites known to incorporate Criteo. I was not presented with the banner notice.

All of the above is applicable to AdRoll’s retargeting scripts as well; they have a comparable method for evading Safari’s restrictions on third-party cookies. (AdRoll competes with Criteo in the retargeting space. Though lots of companies might have similar behaviour, I’m picking on these two because they’re pervasive and growing.)

The difference between what Google was caught and fined for doing and what Criteo and AdRoll are doing today is that the latter present users with a notice. However, I don’t think it’s as forthcoming as they make it seem.

For one, it’s hard to say whether the technical knowledge of most users is adequate enough to make an informed decision about first- and third-party cookies. In most cases, I do not believe users have enough information to make a decision.

Second, the opt-out setup that both ad tech companies have created — like other Ad Choices opt-outs — requires a cookie from those providers. When it expires or you clear your cookies, it will be assumed that you’ve opted back into their tracking. Update: Peter Clark at AdRoll has asked that I clarify that the banner will appear again, rather than immediately opting you in.

To make matters worse, a service both companies promote is their cross-device targeting feature “across browsers, devices, and apps”. The message is simple: Criteo will follow you everywhere, so be sure to opt out on every device and browser you regularly use.

And then there’s the implied message of the banner notice: you can either opt into retargeted advertising, or you can fuck off. Oh, and — as the banner says — the notice only appears once. Blink, and you’ll miss it.

Happily, there is a solution to this and other deceptive cookie practices. In your browser’s cookie settings, choose to allow cookies from the current website only. Additionally, you can block and using the JavaScript Blacklist extension for Safari, or the built-in JavaScript blocker in Chrome.

Alas, these are solutions that require a reasonably high level of foreknowledge. Most users will never know about these scripts and never understand what they do. And, as a result, two companies that most people have never heard of will amass a large amount of browsing data that most people would never elect to provide if given an honest choice.