Cookie Domains

This section describes the domains that set cookies. The domains have been ranked according to the number of times the domain has set a cookie. There are 261 different domains that have set cookies, however some of these cookies may be of the same variant. One example of this is the cookie “_ga”, which is a cookie that originates from Google Analytics, despite that the cookie-setting domain usually appears to be the same as the domain of the page, which it was found on. An example of this is on the page “https://www.odense.dk”, where the “_ga” cookie is set by the domain

“odense.dk”. This also partially explains the long-tail of cookie-setting domains, which is illustrated in the chart below.

Figure 6: Long-tail distribution of cookies among domains

This figure is illustrated in the cookie ecosystem in section 4.2.3.

In order to get a better insight into these domains, the next section will first highlight the ten most common domains and secondly selected domains that only set cookies on a small number of pages, where the cookie domain is different from the domain of the web page.

0 50 100 150 200 250 300

siteimproveanalytics.io boost.ai ft.dk star.dk mfvm.dk uvm.dk silkeborg.dk eva.dk sygehuslillebaelt.dk rebild.dk horsens.dk dors.dk stevns.dk rudersdal.dk mst.dk jammerbugt.dk herlevhospital.dk dsn.dk bane.dk toender.dk skive.dk regionshospitalet-… nidc.dk komoe.dk havarikommissionen.dk ens.dk bygst.dk akamaized.net uim.dk stm.dk skatteankestyrelsen.dk offerfonden.dk motorst.dk kadk.dk gaeldst.dk fm.dk dragoer.dk alleroed.dk

Figure 6: Long-tail distribution of cookies among domains (Y-axis = number of requests)

Source: Own making, Excel

The table below shows the ten most common domains in ranked order.

Table 9: Top cookie domains

Rank Domain Count Count % Country

1 siteimproveanalytics.io 246 22,4 DK

2 domstol.dk 30 2,7 DK

3 rn.dk 24 2,2 DK

4 rm.dk 16 1,5 DK

5 youtube.com 15 1,4 US

6 linkedin.com 14 1,3 US

7 regionh.dk 13 1,2 DK

8 boost.ai 12 1,1 NO

9 frivilligraadet.dk 9 0,8 DK

10 facebook.com 9 0,8 DK

“Siteimproveanalytics.io” (22,4%) from Siteimprove is by far the most common cookie-setting domain. Siteimprove also owns the domain “siteimprove.com” (0,2%). That Siteimprove uses multiple domains is also the case of element-trackers, where it uses three different domains to provide elements, as explained in section 4.1.2. The domain “siteimprove.com” sets the same types of cookies as “siteimproveanalytics.io”, which means that there is nothing in the results that points to an explanation for the fact that Siteimprove sets cookies from both domains.

The cookies from the domains “linkedin.com” (1,3%), from LinkedIn, and “facebook.com” (0,8%), from Facebook, are examples of cookies from social media platforms. The cookies from LinkedIn found in this study, are special third-party cookies, which are only on pages where LinkedIn is used as a TPS (LinkedIn, 2019). According to LinkedIn’s cookie policy as of January 2020, these LinkedIn cookies can be set in the user’s browser when the user visits a web page with a LinkedIn Plugin, such as a LinkedIn shortcut button (LinkedIn, 2020). Both of the pages, where cookies from the domain “linkedin.com” were found, have buttons with a LinkedIn logo that takes the user directly to the LinkedIn website, which likely explains the cookies’ presence on these pages. The cookies from Facebook also follow the same pattern, as Facebook cookies can also be found on web pages that contain a Facebook plugin (Facebook, 2020). Essentially, the value that plugins for social media platforms create for an organization’s web page, is the ability for the user to access the organization’s social media profile faster, than through alternative ways. However, the benefit comes at the cost of

user privacy, as third-party cookies from these social media platforms are set in the browser of the user, without the user being necessarily aware of it. This dilemma of improved services vs. limited privacy will be discussed further in section 5.

Google is also represented among the most cookie-setting domains, as “youtube.com” (1,4%) ranks fifth. There are three different cookies set by this domain across five pages. The purposes of these cookies include enabling tracking of the user based on geographic location, estimate the user’s bandwidth on pages with embedded YouTube videos and to register which YouTube videos that the user has watched (Cookiebot, 2020a).

The domain “boost.ai” is the only domain among the most cookie-setting domains, which is not related to a company in Denmark or the United States of America. This domain is owned by the Norwegian company Boost.ai, which is specialized in creating virtual agent and chat solutions for websites in the public sector, in order to better respond to inquiries and questions from citizens (Boost.ai, 2020).

Domains that Set Few Cookies

The prior section described the most common cookie-setting domains. This section will focus on the domains with only cookies on a single web page, which it does not share an identical domain name with.

The domain “demdex.net” set the cookie “demdex” on the web page for the Danish Gambling Authority (Spillemyndigheden). An element with an unidentified file extension from this domain was also found on this page, presumably in relation to the cookie. The domain “demdex.net” is owned by Adobe and is used to support Adobe Audience Manager, which is a tool for website owners to collect commercially relevant information about visitors with the purpose of serving targeted advertising (Adobe, 2020). The cookie “demdex” assigns a unique ID to the user and in that way helps Adobe Audience Manager perform its tasks. Another rare cookie-setting domain related to analytical tools, is “nr-data.net” setting the cookie “JSESSIONID” on the web page of the Danish Evaluation Institute (Danmarks Evalueringsinstitut). This domain is owned by New Relic, which is an American company that provides website analytical software for website owners. Cookies from the domain “nr-data.net”

are used to transfer information about the user from the page that the user visits to New Relic’s data collection servers (New Relic, 2020). Essentially, New Relic’s cookies are relatively similar to those of Siteimprove and Google Analytics, since they enable the website owner’s analytical programs to

function correctly. Another cookie which has also only been set on one page and supports an analytical program, is the “sp” cookie from Ontame.io. Ontame.io is a Danish company that provides software for analyzing recruitment campaigns (Ontame.io, 2020).

A rare third-party domain that has set a cookie, which is used for supporting embedded third-party media, is the domain “soundcloud.com”. This domain set the cookie “sc_anonymous_id” on the web page of the Rythmic Music Conservatory (Rytmisk Musikkonservatorium). The domain is owned by the American music streaming service SoundCloud and the cookie is used to identify a user that visits a web page that has a SoundCloud music player embedded (SoundCloud, 2018). The web page where the cookie was set, also requested the element “player.js” from SoundCloud, which indicates that there is a media player plugin of some sort on the page.

The domain “jobnet.dk” set a cookie on the web page for the Danish Agency for Labour Market and Recruitment, or STAR (Styrelsen for Arbejdsmarked og Rekruttering). The domain is owned by Jobnet, which is an online recruitment portal, where citizens in Denmark can apply for vacant positions (Jobnet, 2020) and it is operated by STAR and Local Government Denmark (Kommunernes Landsforening). The web page for STAR also sent two requests to “jobnet.com” for elements labelled as “analytics”, indicating analytical purposes are the explanation for Jobnet’s cookie on the web page of STAR.

The domain “pulseadnetwork.com” has previously been described in section 4.1.3, as a third-party domain related to malware. This domain set the cookie “accompat” on the web page of Billund Municipality, which is the same page that made an element request to “pulseadnetwork.com”. As little to none information about the purpose of this cookie is available, it seems rather peculiar that this cookie is set on the web page of the Billund Municipality.