Ghostery + GhostRank (Evidon) – an Analysis by CookieQ.

Baycloud Systems sets the record straight.

For some time Evidon, formerly known as Better Advertising, – acquirer of the Ghostery ad blocking browser extension, have been publishing misleading information about Baycloud Systems and our CookieQ product. As they have not even bothered to reply to communications requesting them to stop this, we feel we need to set the record straight by refuting their claims about us. We also, in the interests of transparency, provide our own analysis of their product offering which we feel is important given their connections with the so-called “self-regulatory” response to worldwide privacy concerns.

Evidon markets a browser extension which it claims identifies “trackers” and allows a user to block them.

Ghostery does this by scanning every page the browser visits and identifying the external resources that are referenced in “script”, “img” , “iframe” and other tags. If the name of a resource matches an external JavaScript file recorded in an entry on their list of “trackers” and the user has configured the extension to block that entry, the particular JavaScript file is inhibited from loading.

Because the JavaScript file is not loaded then it cannot dynamically create these “img” or “iframe” tags and in this way Ghostery does inhibit tracking by some advertising companies and analytics providers.

The problem with this approach is that perfectly benign JavaScript libraries used to add useful functionality to a site are also blocked, sometimes rendering the site unusable. Although the majority of script on their list is used to track people for the purposes of behavioural advertising, they also include other script which does not.

For example our own CookieQ tool is used to protect a user’s privacy and is never used to track them. It was designed to help sites comply with European Law by acquiring and registering user consent on multiple web domains they control and, when a user has not given consent, by removing cookies and other identifying storage. It lets sites offer either an “explicit consent” mode where the user must opt-in before identifiers such as UID cookies are stored or an “implied consent” mode where the site assumes storage is OK buts gives users the ability to always quickly and easily opt-out from this storage on subsequent visits to the site. We also enable our customers to support the forthcoming W3C Do Not Track protocol and apply its User Granted Exception API across multiple domains when there is agreement for this by the user.

We do not, and have never, collected data, sold data or tracked people. Since this has always been explained in all our documentation and our privacy policy, not only would it entirely conflict with our mission and the purpose of our technology but would also be illegal.

All our technology has been developed in-house. We have developed our own downloadable application that operated as a true tracker blocker, and would have competed directly with AdBlock+, DoNotTrack+,, and Ghostery etc. This is not a browser specific blocker but a universal system that can intercept network activity and so works with any browser. But we decided that a CookieQ solution based on letting websites collaborate in extending privacy to their visitors in order to build trust with them, was a better approach which would lead to a healthier way for online actors to extend privacy and interact directly with citizens.

Early versions of CookieQ used a 3rd party cookie in our own domain to record a user’s explicit consent at different sites. This was clearly explained to be “strictly necessary to support a service requested by the user”, was only placed if they had given explicit consent at our customers’ sites for cookies or other identifying storage, and could always be instantly removed by clicking on a link on our own or our customers’ sites.

Furthermore, we have recently introduced a major enhancement to our technology in which the information recording a user’s agreement at particular customer sites is only held within their browser or device and is never communicated to our or our customer’s servers. We now only store a 3rd party cookie if a user is using one of the increasingly small numbers of browsers that do not support the HTML5 features needed for this functionality.

Evidon has added the script file used by the CookieQ tool to its list of “trackers” albeit in a sub-category labelled “privacy”.  Many people who download Ghostery, or use their list with other ad blockers like AdBlock+, just block every script on the list and so our script is also blocked. As a result these users are not able to opt-out of cookies or identifier storage on our customer’s sites.

Evidon may claim this was accidental but the fact the page on their website describing us misleads people into assuming we support, as Evidon does, the AdChoices opt-out cookie, has an elaborately concocted paragraph wrongly claiming to be a quote from us -  claiming to be “in their own words”, and the fact Evidon bought the and other cookieq domain names in 2012 – almost a year after we introduced the product using the domain, leads us to believe they did this simply out of the wish to damage a competitor whose technology they feared.  These Evidon owned cookieq domains are parked on a service that displays behavioural and other advertising, and places cookies. We feel this damages our brand as in many cases these may be the pages they see when on making an online search for CookieQ.

The AdChoices program relies on only giving people the ability to opt-out of tracking by specifically visiting one of their member’s sites and requesting an opt-out. This simply places a cookie in the domain used by that particular company’s 3rd-party tracking element, which signals their server that the user wishes not to be tracked. If the user deletes all their cookies, which many do regularly as a privacy protective measure, then the opt-out cookie is lost, paradoxically leaving them in a situation where the behavioural advertiser’s servers will assume the user does not mind being tracked. Also browsers that normally inhibit 3rd party cookies assume that because a 1st party cookie (the opt-out cookie) has been placed the blocking of cookies from that site will be lifted, also probably conflicting with the user’s intention.

If a user wishes not to be tracked by any AdChoices member or if they wish to see what members have placed an opt-out cookie, every subscribing domain must be visited. This leads to slow loading of pages designed to implement the required functionality due to the necessity of script having to insert external origin frame elements directed at the hundreds of domains that use opt-out cookies. These cumbersome and inelegant implementations are only necessary because of the underlying opt-out philosophy with its assumption of implied consent. A mechanism based on the requirement to gain prior consent for tracking would not only be more transparent but would lead to cleaner and more efficient implementations.

Evidon claims that they only sell "aggregated" data based on that collected by the Ghostery extension for GhostRank and that they do not collect personally identifiable information (PII). But on every visit to a page containing script on the Ghostery list, if the user is has subscribed to the “GhostRank” collection mechanism, not only the IP address of the user’s browser but any identifiers that happen to be encoded in the Uris of the external resources are sent to the server. Unique identifiers stored in cookies are classed as PII by European DPAs, especially when they occur in combination with IP addresses. If companies collect PII in this way they should be registered Data Collectors and according to the ICO website Evidon is not registered.

For example Google’s third-party analytics service Google Analytics stores a 2 year persistent identifier in the first-party “__utma” named cookie. The value of this cookie encodes a value which, together with the IP address, uniquely identifies the user’s browser and absolutely singles-out the user across domains. This identifier is encoded as a query parameter in the “src” attribute of the image tag that the Google Analytics script creates, and this Uri is sent to servers in addition to Google’s whenever the user visits the page. Both IP addresses and unique identifiers in persistent cookies are defined as PII by European Data Protection Authorities exactly because they can easily be used to single-out individual internet users and can be used to profile them.

This PII is sent by browsers incorporating the Ghostery extension (with GhostRank enabled) for every visited page that uses Google Analytics.

Google Analytics is used on the majority of web sites around the world, including most UK Government sites, the sites used by major consumer brands and even the website of the Information Commissioner’s Office. Each GhostRank user sends a record of their visits to these websites to Evidon with information that can uniquely identify them. 

Of course whenever a citizen visits these sites this information is also sent to Google and it would also be interesting to read any commitment that Google has given to the ICO or the UK Government, who do not deem it necessary to ask for the consent of citizens for it on the main UK Government website, that they do not use this information to profile people. This hints at the problems that will arise as tracking increasingly relies on identifiers stored in the document origin of 1st party sites, where they are accessible to any 3rd party script included there as well as to browser extensions like Ghostery.

The following list details the Uri parameters sent to the server when visiting a sample of sites on 25th May 2013. The domain name that triggered the transmission is coloured green and some of the potential unique user identifiers are coloured yellow.

HTTP Request GETs sent to the servers when GhostRank is enabled and a sample of sites are visited .

Visit to 25/5/2013





Visit to (21 requests to each one taking between 169 and 310 ms to load) 25/5/2013






/api/census?bid=58&apid=47& HTTP/1.1






GET /api/census?bid=93&apid=1026&








Visit to 25/5/2013







Visit to (9 requests to Ghostery ) 25/5/2013