Controlling The Cookie Monster
Marissa Cleaver
A cookie may not sound like anything you would need to be
concerned with but it is something you should be aware of. The word "cookie"
itself might conjure up thoughts of harmless treats of all things good. Yet not
all people see web site cookies in such a positive light. In fact, some people
have become so annoyed with them and fearful of their potential for serious
invasions of privacy, they have lobbyied for governmental regulations. More and
more, web sites are incorporating cookies into their sites to track the
movements and purchasing habits of the users that visit their sites. The social
impact that much of this has is that the user is often unaware that they are
receiving such cookies from a web site. To take a look at the controversy
surrounding cookies, we must first look at what cookies are, how they are used
in interactive web sites, the arguments for both sides, and steps you can take
to find out about cookies on your computer.
What Is a Cookie?
According to webopedia.com, a cookie is a message given to a Web browser by
a Web server in the form of a text file called cookie.txt. The message is
embedded in the HTML information and is sent back to the server each time the
browser requests a page from a server. When you enter a web site that uses
cookies, you are often asked to fill out a form with your personal information
(i.e. name, e-mail address, interests). This information is stored in a cookie
that is then sent from their web server to your hard drive, without your consent
or knowledge. When you return to that site, the web server requests that cookie
from your browser [1,Webopedia]. The cookie contains information such as the IP
address, the type of browser you are using, the operating system on your
computer, and any information you explicitly supplied to that particular server
(i.e. username, password)[3,CIAC].
Cookies fall into one of two categories for how long they last. Most cookies
are temporary and expire as soon as the session is over, as when you close your
browser. Others have a date to expire on them, which are known as persistent
cookies. These cookies are stored on your hard drive until that date. Persistent
cookies also allow for the user to be tracked for browsing habits whenever they
return to that site[1,CIAC].
How Are Cookies Used?
Cookies were initially designed for convenience on both the computer user's
part and the part of the server. Cookies were primarily, and still are, used to
personalize home pages and search engines, to allow users to participate only
once in an online contest, and shop online using a virtual shopping
cart[1,Concept]. The cookies were simply a convenience for the users to not have
to reenter the same information every time they came to a site. And in the case
of Internet shopping, they could shop at their own pace and have the server keep
track of the items they are buying. Also the web pages can be customized for
each visitor based on the personal information they provided the server that is
now stored on the cookie. This alleviates the server from having to store all
the information for every visitor[3,CIAC].
Unfortunately some companies and web developers have found other uses for
cookies. They have found ways to use the cookies to actually track the browsing
and buying habits of the users that visit their site(s). They do this by placing
their cookies on various sites and retrieving the information in such a way that
allows them to build detailed personal and financial profiles of their users. A
company that was created for the sole purpose of retrieving personal data from
cookies is DoubleClick.net, which is covered later on[1,Dark Side].
The Cookie Process At Work
A cookie is sent to a browser by including a line with the following syntax
in the header of an HTML document. The header is removed from the document
before the browser displays it. Thus, you will not see the header lines if you
execute the View, View Source, or Document Source commands in your
browser.
Set-Cookie: NAME=VALUE; expires=DATE;path=PATH;
domain=DOMAIN_NAME; secure
Here the upper case names are strings
the server can set.
NAME=VALUE is the name of the cookie and its VALUE.
This is the data that the web server wants passed back to it when a browser
requests another page.
DATE is an attribute that determines how long the
cookie persists on your system. If there is no expiration date, the cookie is
stored in memory only and expires at the end of the current session (that is,
when you quit the web browser). If the DATE attribute is in the future, the
cookie is a persistent cookie and is saved in a file. Only persistent
cookies can be used to track a user at more than one site.
DOMAIN_NAME
is an attribute that contains the address of the server that sent the cookie and
that will receive a copy of this cookie when the browser requests a file from
that server. It defaults to the server that set the cookie if it is not
explicitly set in the Set-Cookie: line. The value of DOMAIN_NAME is limited so
that only hosts within the indicated subdomain may set a cookie for that
subdomain.
PATH is an attribute that is used to further refine when a
cookie is sent back to a server. When the PATH attribute is set, a cookie is
only sent back to the server if both the DOMAIN_NAME and the PATH match for the
requested file.
"secure" is an attribute that specifies that the cookie
is only sent if a secure channel (https) is being used[2,CIAC].
Arguments For Cookies
The original intent, and one that is still used today, is the idea of being
able to customize home pages and entire web sites for each individual user.
Without cookies, a server would have to store all of the customized settings for
every person that visits the site. The server would also require that you sign
on and off each time you come to that site[3,CIAC]. With a cookie, the computer
and the server do all the work for you by passing the cookie to each other,
which contains all the settings that web page needs. This type of customization
can be used at news sites, to only show the stories that might interest you. Or
even customizing a page to show only the stock quotes of the stocks you have,
freeing you from having to sift through a lot of information you aren't
concerned about.
Cookies are also used in this same manner on Internet
shopping sites, via the use of a shopping cart. A cookie can store all the
information of the things you put in and take out of your shopping cart while
you browse the web site. This way, when you arrive at the checkout page, the
server simply requests that updated cookie from your computer and a list of all
the items you put in your shopping cart is all right there. The alternative to
this would mean that you would have to keep track of everything you want to buy
and type all that information in at the checkout page[3,CIAC]. This presents the
possibility of human error, whereas the computer can accurately keep track of
the items you selected.
An argument in favor of cookies from the business
industry is the idea of customized advertising. An advertising firm can send
along a cookie with one of its advertisements, and when you click on one of
their ads, the cookie is sent back to them and they can keep track of which
pages you viewed, how often you view them, and the IP address of your computer.
They will not be able to see what you do with the pages you view, but this
information is stockpiled and used as a resource by the advertising firm to
guess what your interests are and used target advertising specifically based on
these inferences[4,CIAC].
Myths And Rumors About
Cookies
One of the biggest problems surrounding the reputation of cookies are the
myths and rumors associated with them. Some have asked the question, "Can I
catch a virus from a cookie?" Athough theoretically it can be done, the
possibility of it ever happening are slim to none. Most cookies are simply text
files that are sent to your computer to store alphanumerical information for the
server. In order for a virus to be transmitted through a cookie, the cookie
would have to be executable, or a .exe file. It is very, very rare to
ever find an executable cookie. However, recent bugs found in Internet Explorer
3.0 have allowed for a site to run an application. In theory, if an executable
cookie were created and contained malicious and harmful commands, it is possible
that IE 3.0 could execute the cookie, and infect your computer with a virus.
Another aspect of this idea to consider is that the maximum contents of a cookie
are 4Kb, and the line to delete the contents of a hard drive is only 18 bytes
long. Theoretically allowing for the executable cookie to delete your hard drive
memory. But again, the chances of this happening are incredibly
low[1,Viruses].
Another fear about cookies that has been proven to be
untrue is the idea that a cookie is a program that can scan your hard drive and
extract from it any information they want, such as passwords, a list of the
software on your computer, social security numbers, and credit card numbers.
This again goes back to the fact that cookies are not executable files and can
therefore not scan your machine[1,CIAC]. The paranoia surrounding this idea also
created the rumor that America OnLine's (AOL) new software contained cookies
that could obtain private information from user's hard drives. Such hoaxes have
not helped the reputation of cookies[1,Government].
Arguments Against
Cookies
The biggest controversy around cookies is not the possibility of what they
can do, but more about the type of information they can contain. If you look in
your cookie folder on your computer, you may find a cookie for a
doubleclick.net, but you probably don't ever recall visiting the doubleclick.net
site. You probably didn't. In fact, DoubleClick is a service provided to web
sites that allows subscribers to the DoubleClick service to receive this
DoubleClick Cookie. When you hit a site that contains a DoubleClick cookie, the
server sends a request to the DoubleClick server with your ID, requesting all
available marketing information about you. Most of this information comes from
your record of hitting DoubleClick subscriber sites. The information is used to
present you with specially targeted and customized marketing banners and
advertisements. The DoubleClick.com web site insists that no personal
information (i.e. your name, e-mail address, phone number) are used to deliver
these ads[1,Dark Side].
However, the
doubleclick.net site does divulge how the service uses cookies that the user
does not know they are getting to collect data about that user. The
advertisng/howads.htm makes the point that this "entire transaction is
transparent to the user." The main concern is that this is done without anyone's
knowledge besides the DoubleClick server and the web site that subscribes to
them[1,Dark Side]. It is rather scary to contemplate how such an intimate
knowledge of your personal preferences and browsing activities is compiled
without your knowledge.
Along these same lines, the most controversy
surrounding cookies involves their ability to track your browsing and buying
habits. Cookies can be used to see what pages you visit and how often you visit
them. However, it must be noted that a server's log contains all of this
information anyway. Cookies do not increase a server's ability to track you,
they just make it easier. On multiple client sites that are serviced by the same
marketing site, cookies can track your browsing habits on all the client sites
of that marketing firm[4,CIAC].
Although most users have simply shown
their annoyance with cookies, and done little about it in the public arena,
organizations such as the Electronic Privacy Information Center (EPIC) have
taken their grievances to the government. The EPIC filed a complaint with the
Federal Trade Commission (FTC) concerning the information collection practices
of DoubleClick Inc., and its business partners. The complaint alleges that
DoubleClick is unlawfully tracking the browsing habits of users and compiling
this information into a national marketing database. Also the Internet
Engineering Task Force (IETF) is now considering a proposal that will fix the
problems with cookies. A coalition of consumer, educational, and privacy groups
have urged the IETF to accept this proposal[1,EPIC]. < p>
Understanding The Cookie And Blocking
It
If you would like to decide what cookies you will accept and want to know
how to configure your browser to alert you to cookies, click here
If you would like to see the cookies on your computer that you have already
accepted, click here
Most browsers can be set to not accept any cookies, or at least you can choose
which cookies you will accept. Note that
blocking cookies can disable some sites
and prevent them from working. Also, by
blocking cookies, you are not guaranteeing
your anonymity on the web, you are simply
preventing certain cookies from being placed
on your computer[1,CIAC]. Other ways to
handle cookies are to get a cookie-blocking
software package that enables you more control
of the cookies you will and won't accept.
A trick to get around cookies is to delete
the file cookie.txt and replace it with
a write-protected, zero-length file of the
same name. If any of the web sites containing
cookies tried to send a cookie to your computer,
it wouldn't take. The later method of course
is not guaranteed to always work[2,Dark
Side].