August 10, 2021 Clean Cookies

I've been noticing a lot of chatter on the web lately around cookies and how we need to get rid of them in order to free us from the tentacles of ad-tech companies.

It seems like a lot of this talk is missing the point, or rather part of the ripple effect from Google's latest trick to solidify its hegemony in the surveillance game (yes, that FLoC flop). So, I felt the need to share some clarifying points:

  1. Will getting rid of cookies prevent online tracking? No.
  2. Are all cookies tracking cookies? No.

The gist is that not all cookies are dirty tracking cookies. In fact, some cookies are really clean — like ours! If you were to block all cookies (a setting in Safari), then you may start to notice "weird" behavior on our site because you would be blocking functional cookies that make our site work.

I noticed this when testing our invitation sign ups on my mobile phone during our cross-country moving road trip. When I opened the Metamorphic email confirmation link in Safari, nothing happened! There was no celebratory banner message informing me that I was now on the invite list for Early Access nor was there a warning or error message.

That's when I noticed that I had a setting turned on in Safari called "Block all cookies". As soon as I turned that off, everything worked as it should. This made me realize that Safari's "Block all cookies" really does block all cookies, even the clean ones.

What are cookies?

Cookies are very small files (~4KB) that can be stored on a device over the internet. They are typically stored through browsers by websites in order to store data that provides some kind of site functionality (Wikipedia has a great entry).

From here you can branch off into all sorts of different types of cookies, but I prefer to split cookies into two categories: dirty and clean.

What are dirty cookies?

Dirty cookies are what I call any kind of cookie that is used to track you around the web (or surveil you in one way or another).

These are the cookies that most people are talking about (knowingly or not) when they talk about getting rid of cookies. They can be both first and third-party cookies. For example, on your favorite clothing website you are probably being tracked by cookies from other companies (third-party dirty cookies) as well as cookies from that clothing company (first-party dirty cookies).

What's important here is the notion that dirty cookies are dirty and tracking you only because the companies behind them are dirty and tracking you. If the industry got rid of cookies, it wouldn't get rid of the dirty tracking and surveillance. Why? Because it's not the cookie's fault, it's the company's.

If the industry really wanted to get rid of dirty cookies, then it would need to get rid of dirty companies.

What are clean cookies?

Clean cookies are the kind that help make the website your visiting function properly without doing any dirty tracking or surveilling.

You will typically find clean cookies being used for authentication. For example, on Metamorphic you will utilize a cookie for your session and a cookie for remembering you upon login (if using your two-factor authentication and opt in). These cookies are secure, signed, and encrypted to ensure your safety and security on our site and they enable virtually all of the wonderful features of Metamorphic (in terms of your session cookie) and convenience (in terms of your "Remember me" cookie).

Clean cookies can feel a lot like magic (especially if making a metaphor for the real deal) as they enable websites like Metamorphic to do incredible things without tracking or surveilling you in any way.

It's worth noting, just like above, that the cookies are clean only because the company behind them is clean (no back-patting here 🙄).

Under the blacklight

The good folks over at The Markup have created an incredible service to help us get a better sense of the "ick" stuck across the web by the surveillance industry, called Blacklight.

I ran Metamorphic through the scan and saw exactly what I was expecting:

Zero "ick" on Metamorphic, by design.

It always feels good to get this kind of third-party confirmation. However, I had a hunch that our parent company's website wouldn't fare as well since it's currently running on Squarespace. So, I ran Core Theory's website through the scan and saw disappointing yet still pretty good results:

Two spots of "ick" on Core Theory's website even with all of Squarespace's tracking settings disabled (😔).

The two spots come from Vimeo and Adobe (the hosting provider for those awesome videos and the provider of those awesome fonts). This is an interesting and unfortunate example of third-party dirty cookies.

It's been a long running thought in the back of my mind to fully move Core Theory's website over to a "wholly-owned" solution but I still feel my time is better spent making Metamorphic than worrying about the use of Vimeo hosted videos and Adobe fonts on our parent company's website.

Plus, Squarespace really has made it possible for me to keep that website looking slick and updated without taking much time away from Metamorphic — and Metamorphic aced the scan!

Put it in the oven

I think the most important thing to takeaway from all of this is: what's in the cookie is what determines whether it's dirty or clean (bad or good), and what's in the cookie is determined by who's behind the cookie.

If the chef is in the business of tracking and surveilling you, then odds are they're baking some dirty cookies.

If the chef is Metamorphic, who's in the business of being awesome (the antithesis of tracking and surveilling), then odds are the cookies are clean (and they are)!

🍪 Mark

PS — Our use of clean cookies is why we don't have to show any cookie banners on Metamorphic.

Back to blog