Chapter 12 Quiz: Browser Cookies, Tracking Pixels, and the Third-Party Data Ecosystem

Select the best answer for each multiple-choice question. Short-answer questions require a written response of 2–4 sentences.

1. Lou Montulli invented the browser cookie in 1994 primarily to solve which problem?

A) Tracking user behavior across websites for advertising purposes B) Maintaining user identity across stateless HTTP requests (e.g., shopping carts) C) Storing user passwords securely in the browser D) Preventing unauthorized access to user accounts

2. The key difference between first-party and third-party cookies is:

A) First-party cookies are set by the user; third-party cookies are set by the website B) First-party cookies are stored locally; third-party cookies are stored on a server C) First-party cookies are set by the site you're visiting; third-party cookies are set by servers not operated by the site you're visiting D) First-party cookies expire when the browser closes; third-party cookies persist indefinitely

3. A tracking pixel (web beacon) works by:

A) Storing a cookie on the user's computer that tracks their behavior B) Triggering a server request that the tracking company logs, revealing the user's IP address, device information, and timing C) Installing a background process on the user's device that monitors their browsing D) Redirecting user traffic through a tracking server before delivering the webpage

4. Research by the EFF's Panopticlick project (now "Cover Your Tracks") found that:

A) Most browser fingerprints are generic and cannot be used to identify individual users B) Browser fingerprinting is only effective when combined with cookies C) 84% or more of browsers had a unique combination of characteristics in tested datasets D) Fingerprinting is only used by government surveillance agencies, not commercial trackers

5. Which of the following is NOT a technique used in browser fingerprinting?

A) Analyzing which fonts are installed on the system B) Testing how the browser renders a specific canvas drawing C) Reading cookies from other websites the user has visited D) Measuring how the browser processes audio signals

6. A Demand-Side Platform (DSP) primarily serves:

A) Publishers who want to sell advertising inventory B) Data brokers who want to aggregate behavioral data C) Advertisers who want to purchase advertising inventory programmatically D) Regulators who want to monitor advertising compliance

7. Cross-device tracking using "deterministic" methods relies on:

A) Statistical inference based on shared behavioral patterns B) Ultrasonic audio beacons embedded in television advertisements C) Shared identifiers (email addresses, phone numbers, account logins) that definitively link devices D) Browser fingerprinting applied across multiple devices

8. The primary privacy concern with email tracking pixels is:

A) They can install malware on the recipient's device B) They report to the sender when the email was opened, from what device, and potentially from where, without requiring any action from the recipient C) They allow the sender to read the recipient's reply before it is sent D) They can access other emails in the recipient's inbox

9. "Dark patterns" in cookie consent banners refer to:

A) The use of dark color schemes that make consent banners harder to read B) Interface designs that exploit cognitive biases to nudge users toward choices (like "accept all") they might not make if options were presented neutrally C) The deliberate hiding of consent banners so users don't notice them D) The use of confusing legal language that most users cannot understand

10. The GDPR's consent requirement specifies that consent must be:

A) Implicit and based on continued use of the service B) Freely given, specific, informed, and unambiguous C) Documented in the company's privacy policy D) Provided once and valid for the lifetime of the user's account

11. Why did privacy advocates criticize Google's Privacy Sandbox (Topics API) proposal, even though it represents a nominal improvement over third-party cookies?

A) Topics API requires users to pay for privacy features B) Topics API only works in the Chrome browser, which has low market share C) Replacing third-party cookies (controlled by many parties) with a browser-level tracking system controlled by the world's largest advertising company may concentrate rather than reduce surveillance power D) Topics API would eliminate all forms of behavioral advertising, damaging the free web

12. Canvas fingerprinting is particularly difficult to prevent because:

A) It stores a persistent identifier that cannot be deleted B) It is based on the rendering characteristics of graphics hardware and drivers, which do not change when users clear cookies, switch to private mode, or use VPNs C) It requires no JavaScript execution, making it invisible to script blockers D) It is only active when users interact with graphic elements on a webpage

13. The "third-party doctrine" from Smith v. Maryland (1979) holds that:

A) Information collected by third parties requires a warrant to access B) Information voluntarily shared with third parties carries no reasonable expectation of privacy C) Third parties who collect personal data are legally liable for its misuse D) Third-party data collection requires explicit consent under U.S. federal law

14. When a user employs a VPN to protect privacy, which of the following tracking techniques is the VPN most effective at countering?

A) Third-party cookies B) Browser fingerprinting C) IP address-based identification and tracking D) Canvas fingerprinting

15. The Princeton WebTAP study found that the tracking infrastructure of which company appeared on more than 80% of the top 10,000 websites?

A) Facebook/Meta B) Amazon C) Google (DoubleClick/Google Ad Manager) D) The Trade Desk

16. A Supply-Side Platform (SSP) primarily serves:

A) Advertisers who want to purchase targeted advertising B) Publishers who want to make their ad inventory available for programmatic purchase C) Data brokers who supply demographic data to ad networks D) Regulators who oversee the digital advertising market

17. Which of the following statements about "private browsing" or "incognito mode" is accurate?

A) Private browsing prevents all tracking, including by the websites visited B) Private browsing prevents cookies and browsing history from being stored on the device, but websites can still log server-side and fingerprinting still applies C) Private browsing is equivalent to using a VPN in terms of privacy protection D) Private browsing prevents third-party tracking but not first-party tracking

18. Short Answer: The chapter describes cookie consent banners as "the theater of consent." Define what this phrase means using at least two specific dark pattern techniques described in the chapter. Then argue whether GDPR's consent requirements are, in principle, adequate for genuine privacy protection — even if current implementations fail to meet them.

[Answer space — 150–250 words]

Answer Key

  1. B
  2. C
  3. B
  4. C
  5. C
  6. C
  7. C
  8. B
  9. B
  10. B
  11. C
  12. B
  13. B
  14. C
  15. C
  16. B
  17. B
  18. Rubric: Full credit requires (1) accurate definition of "theater of consent" as describing consent mechanisms that provide the legal form without the substance of genuine informed choice; (2) accurate description of at least two dark patterns (pre-checked boxes, asymmetric button design, option burial, forced interaction, deceptive framing, or redundant consent); (3) a substantive argument about GDPR's principles — whether requirements for "freely given, specific, informed, unambiguous" consent are adequate in principle regardless of implementation. Strong answers will note the tension between principle and practice, recognizing both the value of GDPR's standard and the inadequacy of current compliance.

Chapter 12 | Part 3: Commercial Surveillance