Taking a Byte out of Cookies
When I wrote Memories and Cookies for Byte several years ago after the dot-com boom went bust, I got pushback from the editor. Why would anyone care about persistence, monitoring and cookies structures? As a Director at one of those Internet datacenter companies at the height (and fall) of the bubble, I knew that cookies were very important to bizdev and sales as an indicator to tracking unique visitors. Of course, the underlying assumption was that cookies were persistent even though browsers allowed one to selectively delete them. On my modern Firefox browser there is even a special "remove all cookies" button that makes non-flash cookie removal a snap (flash cookies, aka local shared objects in flash-speak, are persistent objects embedded in the flash plug-in, and not removed by the browser's cookie mechanism; this is one reason lots of sites are going to flash). And remove them we do -- up to 1/3 of computer users remove cookies at least once per month, according to comScore, and 7% of computers account for 35% of all cookies served.
While not surprising, this has serious implications for ad monetization.
Simply put, an old customer may appear as a new customer because he removed a cookie and then returned to the site. Each time he receives a new cookie, he appears as a new unique visitor because he doesn't have a cookie (he's deleted it). While retail sales depend on building a returning audience (try running a restaurant or a barbershop or Zappos.com longer than six months without a "loyal customer base" -- it doesn't work) and value their returning customers, Internet companies using ad monetization arrangements as their revenue model depend on a pyramid scheme of ever-escalating audience ratings using unique "eyeballs". Returning customers don't mean much to investors hoping for a six-month flip.
Some sites attempt to get around cookie deletion by comparing the IP address to a known list of cookie assignments. If the cookie assigned matches the IP address, then the assigned cookie is "reinserted" into the cache. This of course assumes that the IP is static, which is kind of silly because most DSL and cable links are dynamically reassigned upon termination of connection or, in the case of always-on connections, every quarter or so. It also assumes that there is one computer per static IP, which is even more silly because almost all companies which use static IPs also use NAT. Finally, maintaining and comparing lists of cookies and IPs can result in a tremendous amount of data storage and management. We routinely consolidate, compress and delete gigabytes of IP, reference and search term logs daily. Which begs the question -- is cookie tracking really worth the bother?
So, by how much does cookie deletion distort a dot-com's unique visitor counts? It could easily be overstated by 2.5 times or more. According to Dr. Magid Abraham, President and CEO of comScore, "These ‘serial resetters' have the potential to wildly inflate a site's internal unique visitor tally, because just one set of ‘eyeballs' at the site may be counted as 10 or more unique visitors over the course of a month. The result is a highly inflated estimate of unique visitors for sites that rely on cookies to count their audience." If you notice that serial resetter sounds a lot like serial murderer, you're paying attention. Serial resetters kill ad monetization schemes.
Recently I discussed the potential for gaming Internet traffic numbers using gimmicks such as Alexa's toolbar and how this can impact valuations and company survival (see FilmLoop and Alexa - When Fake Rankings Kill Companies). Likewise, a small group visiting and deleting cookies can have a disproportionate impact on unique visitor counts based on cookies. As I said earlier, "the only way you can honestly obtain information is by monitoring the switches in the datacenter itself and analyzing the traffic".