"Cookies"

Cookie is the deceptively sweet name for a small file that may be placed on your computer’s hard drive, often without your knowledge, when you visit a web site. The cookie is a unique identifier that enables the site to which you are linked to recognize that you have been there before. It enables the site to which you are linked to keep track of you as you go to different pages on that site, or to other sites, and to retrieve from its database any record of your previous visit or visits to the site.

Cookies are a reminder that surfing the web is not an anonymous activity. Your movements in cyberspace can be and often are tracked.

Cookies serve legitimate purposes, but they can also be misused to invade your privacy. Contrary to some popular rumor and myth, cookies do not damage your computer or your files in any way. They also do not make information on your computer more vulnerable to compromise.1

How Cookies Are Used

Here are some of the ways in which cookies are used.

  • When you log on to many Internet shopping sites, you are sent a cookie with the number of a shopping cart. Each time you select an item to buy, that item can be added to your shopping cart. When you are done shopping, the checkout page lists all the items in the shopping cart associated with that cookie. Without the cookie, the shopping site to which you are linked could not keep track of all your purchases. You would have to keep track of the items yourself and type their names and/or numbers into the checkout page, or else buy each item one at a time. If the only purpose of the cookie is to keep track of your shopping cart, the cookie is automatically deleted as soon as you leave the site. As noted below, however, there are other uses of cookies for online commerce that involve leaving the cookie on your hard drive for a prolonged period.
  • Suppose you buy a book from one of the prominent Internet booksellers. When you go to that site again, you will be greeted by name. The books that are featured prominently on the bookseller’s home page will be selected to match your interests based on what is known about you from your previous purchases. And you may have the convenience of an expedited checkout procedure that does not require you to give your address or credit card number, as the site already has that information. The cookie that was put on your hard drive during your first visit to the site, and which remains on your site until some specified expiration date (often one year), is what makes this possible. It enables the bookseller to recognize you as a previous visitor, automatically access the database record of your previous visit or visits, and to customize the site to best meet your needs.
  • Suppose you want to read one of the major national newspapers online and use its archives for research. You are required to become a registered user of the site. To register, you provide your user name and password and are then required to give your age, gender, and zip code. You are also asked for your income, but this is optional. The next time you visit the site you do not need to log in, as you are recognized automatically as a registered user. The newspaper’s computer system tracks electronically all your moves while on its site. Based on what the newspaper’s computer knows about your demographics and your interests, you will be shown those advertisements to which you are most likely to respond and not shown ads in which you are unlikely to be interested. Every time you click on an ad, this will be recorded in a database. Using the records of ad clicks and demographic data for thousands of registered users, the newspaper analyzes the effectiveness of each online advertisement. All this is made possible by the cookie placed on your hard drive when you registered at this site.
  • A major online advertising agency places online advertising for hundreds of clients on hundreds of different web sites. When you go to a web page with one of its ads, the ad comes directly from the advertising firm and is not merged with the rest of the page until it arrives at your computer. It takes the advertising agency’s computer less than 20 milliseconds to read the cookie on your hard drive, access information on you in its data base, and decide which of its many ads to insert on the page you requested. It sends a cookie along with each ad, and the previous cookie on your hard drive is sent back to the agency to update its database. In order to build up your interest profile, a database in the agency’s computer maintains records of which sites you have visited, which ads you were exposed to, how frequently you were exposed to them, whether you clicked on the ad, and whether you purchased anything as a result. The goal is to use your interest and demographic profile to customize which ads you are shown in order to maximize the effectiveness of the advertising.

Privacy Issues

Cookies are controversial because they raise privacy issues. They are put on your computer without your explicit approval and are used to track where you go on the Internet. Most sites track your movements only within their site, but online advertising agencies with multiple clients track your movements among all their clients’ sites. When you register to use many sites and services you are required to provide demographic information about yourself, often including your name, or an e-mail address that can lead to identification of your name.

There is concern that dossiers of personal information on individuals and their behavior in cyberspace could be compiled, sold to advertisers or insurance companies, and used in ways that violate one’s right to privacy. Privacy advocates argue that online marketers should be kept out of the "cookie jar," and they urge Internet surfers to "toss their cookies" to protect themselves from the "Cookie Monster."

There is no question that cookies, and the information they enable others to collect, could be misused. The open questions are: How often is this information actually being misused? And how much of a threat does this represent? Most advertisers comply with the Direct Marketing Association’s Marketing Online Privacy Principles. At least one major advertising agency specializing in Internet advertising has voluntarily opened its practices and systems for third-party auditing.

Options for Dealing with Cookies

Because cookies are controversial, both Netscape and Microsoft browsers offer users options for dealing with cookies. Depending upon which browser you are using and how current it is, the controls for dealing with cookies will usually be found on the Edit or View menu, under Options or Preferences. You may then have to click on a tab called Advanced, Security, or Protocols. There are four possible options, although all options are not offered by all browsers.

  • Accept All: This is usually the default setting and means that all cookies are accepted.
  • Accept only cookies that get sent back to the originating server: This means you accept only temporary cookies that are deleted as soon as you exit a site. They help the site keep track of your activities only while you are connected to it. For example, such temporary cookies are needed if you want to be able to put multiple purchases into a "shopping basket" as discussed above.
  • Disable Cookies: Your computer will not accept any cookies under any circumstances. You will need to turn cookies back on if you want to use any online services that require them.
  • Warn me before accepting a cookie: Whenever a site to which you are connected tries to put a cookie on your hard drive, you are warned and given the option of accepting or rejecting it. The down side of this is that responding to all the warnings at a busy shopping site can become very tedious.

Several companies offer special software packages that work with your browser and enable you to designate which sites can send you a cookie and which can not.

If you want to look at your cookies, the most common place for them to be located is in a directory subordinate to the directory where your browser is located. However, they may be in several different locations, so the most efficient way to find them is to use the Find command and type in cookies. Cookies are ordinary txt files, so they need to be read with a program such as Wordpad or Notepad.

You may delete all cookies from your computer if you wish, but be sure to close your browser first. Cookies are held in memory while the browser is open, so deletion while the browser is open will be ineffective. Remember, however, that deleting all your cookies will cause you to start from scratch with every web site you normally visit. It may be preferable to delete only those cookies you don’t want or don’t think you need.

Reference
1. U.S. Department of Energy, Computer Incident Advisory Capability (CIAC), I-034: Internet Cookies, March 12, 1998. Barry D. Bowen, "How Popular Sites Use Cookie Technology," Netscape World, April 1997.

 

<-- PrevNext -->
SECURITY BRIEFING TABLE OF CONTENTS