Cookies are one of the primary mechanisms through which we are tracked over the internet. Every action we take is recorded as a log and used for analysis and metrics. Basically, cookies are small pieces of data that are used as a storage medium in the browser and are sent with every request to the server. They are also used for session tracking, when we log in to a website or mobile app the server sets a session cookie in our browser which are sent with subsequent requests to the server, which in turn authorizes us to perform any action.
But the interesting use case of cookies is tracking. Companies like google or meta use third party cookies across many websites to monitor us and this is why we see ads for things on social media soon after searching them on the internet. So people used to clear cookies and browser storage to get rid of tracking and then the GDPR also introduced a policy which requires websites to take our permission before setting a non-essential cookie on our browser.
Now comes ETags which are opaque identifiers generated by the server (either an MD5 hash or a random string) for a resource and sent to the browser in the response header of the resource. They are basically used for caching resources on the browser. So the next time, the browser requests the same resource, it includes the ETag in the request and if the server sees the ETag hasn’t changed then the server sends a 304 Not Modified Response thus saving bandwidth and load time.
The problem is that a few companies realized that ETags persist even after we clear cookies or local storage, so why not use it for tracking us. So now the server generates an ETag for a user and stores it, so next time the user visits the site, the browser sends the ETags and the companies can track down the users even if they have cleared cookies. But now in modern browsers it’s no longer practical to use ETags for tracking as they prevent ETag from being shared across different origins thus neutralizing cross-site tracking.
So eventually companies continuously find new ways to track us, even when we try to avoid it. A caching mechanism once became a tracking mechanism.