The Cookie Conundrum

Cookies will drive you nuts. As you know, cookies – or very small files that recognize you as uniquely you to particular websites – are kind of the backbone of affiliate marketing. If the cookie didn’t exist, there would be no way for you to claim the sale or track your core customers. This would effectively kill affiliate sites in their tracks.

Or will it? Recent studies on cookies have only confused matters. Survey respondents have said they delete cookies off their hard drives as frequently as every week. JupiterResearch in April released its cookie study that said nearly 40 percent of those online trash cookies monthly. Burst Media weighed in with its findings, echoing Jupiter’s study: 38 percent of online consumers nix their cookies once per month. Nielsen NetRatings pushed up the panic by stating that 43.7 percent of its respondents said they dumped cookies monthly. An InsightExpress survey said 56 percent. But then it backpedaled, saying probably fewer than that number actually delete cookies, citing data that when study participants were asked to immediately trash their cookies, only 35 percent did it correctly.

Even more baffling to the average user are the different kinds of cookies that exist: first-party cookies; third-party cookies; tracking cookies; local shared objects. It boggles. Even Walter Mossberg, a well-respected tech columnist for The Wall Street Journal, came out strongly against tracking cookies and suggested they be classified as spyware. In the same breath he did admit that first-party cookies are what make the Web a fun, personalized experience.

Even so, the studies seem pretty grim. If the results are accurate, then nearly half your sales would be freebies – meaning that 50 percent of your commissions would also disappear.

But then in April, Atlas Institute released an analysis of some of those studies and concluded many simply weren’t true. Atlas found that 40 percent of those who said they deleted their cookies monthly didn’t do it when they said they did. Cookies were generally present twice as long as respondents stated on their surveys.

It wasn’t a conspiracy. In many cases, it was just bad recall. In some instances, respondents assumed cookies were being deleted by anti-spyware products installed on their computers. Some of the deletion numbers are so high because users think the software is doing it for them. In many cases it isn’t. This puts anti-spyware and anti-adware software makers in a strange position: is it their responsibility to help you manage your cookies, or is it just a whole lot of paranoia?

Of the most popular anti-spyware software, about 75 percent come with “cookie management” options. What that means varies from maker to maker. When most anti-spyware programs do their normal scans (daily, weekly, monthly or however the user sets it) they will catch cookies but rarely do anything about them. The default is to generally ignore them. If the program offers a check box to dump certain kinds of cookies on a regular schedule, it has to be turned on by the user. Most anti-spyware makers believe the majority of their users are going with default settings. In fact, some studies have said that the so-called “computer savvy” also keep cookies longer than they say and believe they are deleting them when they aren’t.

All this misperception, in many ways, boils down to a few basic facts that most anti-spyware software makers can agree on: taken on their own, most cookies are not harmful. Cookies carry no code and so they cannot carry viruses. While cookies may carry information on where users have gone on the Web, most of it is anonymously tracked – meaning such data doesn’t contain personal information. The Wall Street Journal’s Mossberg wrote it was akin to a company knowing what channels you watched on TV without telling you it was monitoring you. Generally it’s more like following a set of footprints in the sand to see where they go, but the tracker has no idea if the person making the prints is Jane Doe, Jane Doe’s mom or Santa Claus.

One of the persistent problems, says Phil Owens, product director of CounterSpy, a product of Sunbelt Software, is that “most average users perceive that the program is doing the [cookie] removing” for them. He adds that most anti-spyware software makers are in a bit of quandary about cookies. They are “gray,” Owens says, because they are not malicious. Therefore, you’d think it isn’t software makers’ responsibility to clean cookies. Owens says this is a tough call. “On the one hand, maybe we should play a role and tell people cookies are benign until proven wrong. We can help quell that concern. On the other hand, market pressure by consumers is great. They will say, ‘This software found this but you didn’t,’ even if it is not malevolent.”

“The general public doesn’t understand the value proposition of the cookie,” says Rick Carlson, president of Aluria Software, which makes Spyware Eliminator. That’s why version 4.0 – released in February – has a whole separate tab in its scan results that lists the newest cookies. “Previous versions never detected cookies,” Carlson says, “but we put it in because consumers wanted it. And they wanted to be able to detect and remove them.” He says that sometimes spyware can place a cookie and that there is an outside chance that spyware reads other peoples cookies. Consumers wanted insurance for those remote possibilities, he says.

One of the most high-profile of antivirus software from McAfee currently doesn’t do any cookie tracking or identification either in its McAfee AntiSpyware 1.1 or VirusScan 9.0. McAfee spokesman Hector Marinez says the programs do not delete cookies or recommend deletion of cookies. He adds that the upcoming McAfee AntiSpyware 2.0 will have a cookie tracking function where cookies are identified and the user can choose to delete them. VirusScan 10.0 will not have cookie tracking.

Currently, anti-virus and anti-spyware from Microsoft does not scan for cookies, in part because the remembered passwords and Web page settings in cookies help tailor the Internet experience for visitors of Microsoft properties such as MSN. To help boost commerce, it’s been reported that the beta version of Microsoft Windows AntiSpyware does not disable tracking cookies. However, GIANT Company Software, the company that developed the anti-spyware product and was acquired by Microsoft in December, disabled tracking cookies.

Owens adds that he can conceive of a function in future versions of CounterSpy where the software scan can tell you exactly what each cookie is for, such as whether it was for a retail purchase you made or whether it was placed there by potential spyware.

Spyware Eliminator has its tabs even though Aluria’s Carlson says he would probably have preferred to have Eliminator ignore cookies. “We are extremely sensitive to the affiliate community,” Carlson says. Within the software tab, it clearly states that cookies “pose little risk.”

While anti-spyware companies are trying to figure out if they will take a stand, marketers themselves have stepped up to the plate and started their own grassroots awareness groups. One of the most prominent is Safecount.org, started by Cory Treffiletti, managing director of Carat Interactive’s San Francisco office, and Nick Nyhan, president of Dynamic Logic in New York. Safecount wants to start a “good list” of sites with trusty reputations. So far, the “good list” campaign is in the very early stages, “to show who plays by the rules,” says Treffiletti. A good list can show “you remain marketer-friendly and consumer-friendly.”

Another body is the advocacy group Center for Democracy and Technology, which is trying to help the anti-spyware industry start at the very beginning and define what constitutes malicious data or vehicles for code versus harmless files. Eventually the center wants to write “dispute- resolution procedures” as well.

One company is even using a kind of backup program that automatically saves a copy of cookies before anti-spyware software can do the job. United Virtualities of New York uses something called persistent identification element, or PIE, exploiting attributes in Flash software. Some analysts, however, have labeled it “deceptive.”

Lawmakers are weighing in as well. So far lobbies have managed to get Congress to keep cookies out of anti-spyware legislation. But the most recent bill, the Internet Spyware Prevention Act of 2005, known as the I-Spy Act, is so broadly defined that cookies could very well be included in a legal interpretation. Marketing agencies are also trying very hard to keep cookies out of legislation.

Right now Safecount.org is a small, all-volunteer movement and may not reach enough momentum by the time some of the top anti-spyware software makers have implemented more hands-on cookie administration in their next versions. Alternatives for the affiliate marketer start with what you can do on your own site.

The first thing you could do is to include a brief introduction to cookies on your website. It doesn’t have to take up a lot of room and could even be on its own page with a link that says something like, “A word about cookies.” You can start by explaining cookie deletion versus cookie rejection. Deletion is when a visitor manually dumps a cookie or when anti-spyware software trashes it either through alerting the visitor or by an automatic setting. This is never consistent because every brand of anti-spyware software handles it a tiny bit differently. Tech-savvy visitors may have set their browsers to reject cookies. While Internet Explorer can be set to not accept any cookies and make users feel a lot safer, most online retail sites need cookies turned on to finish a purchase.

Web analytics company WebTrends recommends that businesses focus on serving only first-party cookies (sent from the website you are visiting) and not third-party cookies (sent from a vendor or advertiser on a Web page). WebTrends also advises only carrying the most necessary information in a cookie to avoid privacy worries. Think twice, company officials at WebTrends say, about employing “unproven and risky alternatives to cookie tracking” such as those in Flash or solutions that “trick” a browser into receiving a first-party cookie.

Also, affiliates could list the benefits of cookies – that a cookie helps remember user’s purchase history and passwords, and helps commissions go to the right people. Don’t be afraid to spell it out for your repeat customers: “Keeping your cookie keeps me in business.” Carlson says groups like the Anti-Spyware Coalition (www.antispywarecoalition.org) can only help so much and that standards just don’t start in a committee room but out in the world. “We are just a $20 million in revenue company,” he says, compared to the really huge anti-spyware makers. “We are the flea on the back of a dog.”

Other proactive measures for an affiliate include going to Internet security sites and staying abreast of the latest in hacks, scams, phishes and technological advances. You may think it is asking a lot to suddenly become an expert in deception, but it might be a comfort to remember that you are not alone. In terms of affiliates or retailers online, if there were a cookie problem that was reflected in the bottom line, there would be an uproar. The retailers themselves would step up if their highest earners were fading. If money is being lost, ears prick up.

As affiliates take a bigger role in what companies sell, you can bet their voices will be heard. As with the grassroots bodies and coalitions, pulling together can make a big difference. Advertising companies on the Web rely heavily on the cookie, and they are already drawing up standards. Affiliates should consider doing the same. After all, what does a salesperson really do: Inform and persuade.

ERIC REYES lives in the San Francisco Bay Area and writes about technology and business. His work has appeared in Business 2.0, the New York Daily News, the San Francisco Chronicle and Worth magazine. He has directed and contributed to websites such as Amazon.com and Excite.com.