First party cookies set, or readable, by a third party?

I was just reading Dave Chaffey's recent article for WNIM "Are your cookies threatened? Why should you care?" which has a good overview on where we are with cookies. And it also includes reference to E-consultancy (thanks Dave...).

However, it doesn't address a question which I'm not entirely clear on which is around the first party cookie / third party cookie debate.

The argument is that it is third party cookies which are suffering from deletion and blocking to a much higher extent than first party cookies. 

I always understood that first party cookies could only be served AND read by the same domain / server - the site that you're on. So ad view tracking across multiple sites, for example, could only be done with third party cookies. Something which DoubleClick got rapped over the knuckles for a few years back due to privacy concerns. 

But speaking to web analytics providers recently, and their latest generation of tag-based ASP solutions, it appears they (as a third party) are able to serve a cookie using JavaScript, via the host site, and then read that cookie. 

Maybe I haven't got that correct technically but certainly my understanding is that these solutions allow first party cookies to be set but read by a third party...? So what exactly is going on here? And, if it is possible to do some JavaScript jiggery-pokery to get round third party cookie blocking, doesn't this throw up some quite scary scenarios? A bit like the way banner ads can deliver you viruses just by viewing them...?

Any explanation from someone with a bit more technical knowledge appreciated...

Ashley Friedlein
CEO, E-consultancy.com
 

Ashley it all gets a bit complex down at this level, but let me try to explain the process (and as it happens I think, allay your concerns)... My answer relates to speed-trap's Dynamic Collection  approach (which as Matthew Todd notes is a rather unique one - thanks Matthew) - so you might need to ask other vendors how they solve the problem - and Matthew explains another (DNS-related) approach.

As you say "I always understood that first party cookies could only be served AND read by the same domain / server - the site that you're on. " and this is true. The point is that if your tag is in the page you are browsing (or being directly referenced by it) then the monitoring code IS part of the site as it is part of the page, so it is able to access the first-party cookie...

...and that is not a problem as the site owner has knowingly added the tag to the page just like any other piece of content in the page - the fact that it might be served from another server (the Analytics ASP in this case) is kind of irrelevent.

The significant point is that the cookie being set, manipulated or read IS a first party cookie and IS part of  the site (domain) your browsing  - not part of the "third-party" monitoring server. ... So imagine you go to www.a.com (which is being monnitored by speed-trap) the analytics system can set or read items in the cookie beloning to www.a.com. But when the visitor goes to www.b.com the ONLY cookie the monitoring system can see would be the one belonging to www.b.com domain (even if this site is also being monitored by speed-trap.) This ensures the user's privacy (e.g. no-one can compile a list of sites they visit)  while allowing returning visitor activity on each site to be seperatly monitored.

If you REALLY want to use 3rd-party cookies then of course our systems COULD read them, but not something we would condone, or have found neccessary - but as the world is now aware of the risks associated with 3rd-party cookies, it is good to see that their blocking rates are getting very high.

PS - just took a look at the stats form one of our multi-national customers and over the last week we saw 58 sessions blocking 1st-party permenant cookies from over 51,000 sessions on the site... 0.115% to be precise... sadly (as we don't use them) we don't have stats for 3rd-party refusal rates, but 50%+ seems to be the kind of number be pushed around by the pundits...

Hope that helped....