Getting to Know About (and Getting Rid of) 
Internet Cookies

There's been a bucket of hype about web cookies the last few months. Some web activists say that cookies are evil, privacy-destroying little monsters that are leading us to a world where our every move is catalogued, or that they suck up sensitive information from elsewhere in your computer and upload it to covert government agencies.

About Cookies

The truth is, although some cookies should be avoided, most are innocent, and many are even helpful to Internet users.

A cookie is like a passport in your computer. Whenever you visit a web site, the web server can send a cookie to your computer, which is then stored on your hard drive. As you visit additional sites, you may pick up additional cookies. Each cookie is a miniature record of your visit to a specific web site, complete with information such as an ID number, time of your last visit to that specific site, and any other information that you give up willingly such as password or email address.

The only information a cookie can preserve in your browser is time, date, browser type, and whatever string of information the cookie-owner wants to send back to him or herself the next time you enter that particular site (and *only* that particular site.) The effect is something akin to "Caller ID" on telephones. By retrieving the cookie left previously, a web site can "remember" your site-specific password, your preferences, and other tidbits of information. When you re-visit a site, a cookie left on your hard drive will identify you.

For example, on-line organizations, like the New York Times, which require user ID and passwords can store this information in the form of a cookie. This way, repeat visitors avoid having to fill out form information on each visit. Likewise, some on-line search engines use cookies to "remember" users and offer them customized news and services based on their prior use.

On a more general note, a site could display a "what's new" page based on the last time that particular user visited the site, or could let visitors customize how the site will look to them, and to save a short record of those choices for future visits. In a department store you can monitor traffic by following worn places in the carpet; in a web site, cookies can trace user activity, which enables the web designers to determine which of their pages were the most successful and plan their updates accordingly.

With the increasing commercial applications of the Internet, it was probably inevitable that cookies would quickly be utilized for commercial purposes. Since cookies can be matched to the profile of a user's interests and browsing habits, they are a natural tool for the "targeting" of advertisements to individual users.

A commercial application you may be familiar with is called a "shopping cart." It allows you to move from page to page putting items into a basket. These carts are actually cookies, which are used to store information about the contents of your shopping cart so that you can conveniently purchase a cart full of items. Without it, you would have to purchase items one at a time.

Internet marketing consultants have also began to utilize cookies to increase the efficiency of advertising placement on web sites. Their intent is to target advertisements, such as banner ads, to users whose profiles match those of likely consumers of the advertised products. For example, one company was retained by the 3M Corporation to help target Internet banner advertising for an expensive multi-media projector. The consultants made use of cookie information to match the banners with users who had a history of selecting high-technology sites.

Privacy activists have two related concerns about cookies: the possibility that users could be tracked consistently between sites, and that the limited information in a cookies might be linked with a larger database elsewhere.

Tracking between sites is happening right now. If you look in your cookie file (see sidebar) there are probably cookies in there from sites you do not remember visiting. This is not really supposed to happen--cookies are set by one site, and aren't supposed to be available to other sites. However, a handful of net-oriented ad agencies have found a loophole in that rule. What happens is that a site puts a paid ad banner in their pages. That banner isn't from the original site, though—it’s actually a link to a graphic in the ad agency's site – and so the home user gets a cookie from the ad agency. Even though the ad agency might place banners in several different sites, your browser will see them as coming from the same site--the ad agency.

Three marketing companies that are selling marketing strategies based on this type of cookie are Globaltrack, Doubleclick, and Focalink. Doubleclick has gotten attention by taking tracking a step further. Doubleclick is now placing banner ads in Lycos and AltaVista, two of the most popular web search engines. Doubleclick calls its new strategy "Editorial Targeting". Users of AltaVista have already started noticing that the ad banners they see have started to show strange relationships to the words being searched on. Do a search on "German shepherd," say, and you might get an ad for dog food.

By itself, even this kind of tracking might not be harmful. Right now, all the server knows is that ID number 18579 went to sites A, B, and C, and did dog-related searches on AltaVista. This kind of information is gold to marketing firms, and the ability to sell enhanced advertising could help many commercial sites compete with TV stations and paper publications for ad dollars. The worry is that somewhere in the corporate world, someone might be keeping a list that links that cookie ID with a true name and real-life address.

How would someone get that information? Many, many users have offered up all that data by themselves--by filling out forms on the web. This could be compared to having your address and whatever other information you fill out on a form made permanently visible to the owner of a store. All it takes is one filled-out form to leak out your personal information for good, and one unscrupulous webmaster to link that information with your cookie file.

These things don't appear to have happened--yet. The current uses for cookies aren't as alarming as their potential for abuse in the future. The best advice is simply to keep a heads-up attitude about sharing personal information about yourself on the web. Don't fill out a form unless you are sure the site is "secure" (see @Internet, December issue), or have a specific reason to do so—or do what many savvy people do, and put in a fake name and address.

Otherwise, eat up those cookies and let them make your browsing a breeze!


Cookie Crushing Software

Cookie Crusher: www.thelimitsoft.com/cookie.html

Viewing Cookies

Because cookie files are ordinary text files, you can browse them with virtually all text editor or word processor programs. Wordpad, Simple Text, or Notepad will do the trick, and are available on most machines.

To find Netscape cookies on Windows machine, look in the \Netscape\ directory (or whatever directory your browser stays in) for a file called cookies.txt; Internet Explorer stores cookies in \windows\cookies\. On a Mac, the file is called MagicCookies. Each cookie is a line of text in the file. Here is an actual cookie: hix.mit.edu FALSE / FALSE 942192760 s dial014254538298

Avoiding Cookies

You can tell your browser to alert you whenever a web site is trying to set a cookie on your computer. In Netscape, select Options … Network Preferences. From the window that appears, select the Protocols tab. Locate the section Show An Alert Before, and check the box marked Accepting a Cookie. In Microsoft Internet Explorer, choose Go to the Control Panel (from the Start button), and click on the Internet icon, then select the Advanced tab. Check the box marked Warn before accepting cookies.

If you follow this procedure, you’ll get a warning every time a cookie is sent and be able to choose whether or not to allow it. If you select "Cancel", the cookie won’t be set. In most cases, the web site acts normally, but in some cases this can cause the web site to display incorrectly. The disadvantage of this method is that some sites attempt to send a cookie with every image, meaning that you can be clicking "Cancel" a lot before the web site finally appears.

Tossing Your Cookies

Despite of the fake "Do Not Edit" warning at the top of your cookie files, it is perfectly safe to delete any, or all cookies, using any text editor or word processing program. When you see a cookie you do not like, delete it. I make my decisions based on the URL at the beginning of the cookie and either leave it alone or delete the entire cookie.

You can also periodically locate and delete the \windows\cookies\ folder or the cookies.txt file, which will, of course, wipe out all cookies stored on your computer; however, Netscape Navigator and Microsoft Explorer will immediately generate new ones the next time you start them up.

Eliminating Cookies

As you can see, neither Internet Explorer nor Navigator allow you to turn off cookies completely; however, you can alter your cookie files so that they are un-usable. You do this by write-protecting the files. If you use Internet Explorer as a browser, you will get a message every time a cookie is set, to the effect that your cookie file is missing or corrupted, which is annoying. Netscape, however, blithely ignores the problem and the cookies simply aren’t stored.

You can write-protect the files using Windows Explorer or another file manager. For each file or folder, simply select "Properties," and on the window that pops up, check the box marked "Read only."

Cookie Q & A

Q: When is a cookie really useful to me?
A: One of the most popular applications of cookies is the "shopping cart". Sites like L.L. Bean use cookies to keep track of your purchases while you shop in their virtual store.

Q: What can’t cookies do?
A: Cookies cannot enable the web server to read from your hard drive, get your e-mail address against your will, destroy files on your computer, or create executable programs. Cookies can only contain as much information about you as you disclose on the site which sets the cookie.

Q: If a cookie is stored on my hard drive, won’t that consume a lot of disk space eventually?
A: Not really. Cookies are limited to 4k in size, and most are much smaller. Also, your browser limits your cookies to 300; if number 301 comes in, the oldest one gets deleted.

Q: Who can see my cookies?
A: A cookie is specific to a web server. Only the web server that set the cookie initially can retrieve it later. So, no one can retrieve all of your cookies to develop a profile of your web browsing habits.

Q: Since they’re downloading something to my hard drive, should I be concerned about viruses?
A: No, cookies are limited to text-only, and can’t be executed. Therefore, it’s impossible for a cookie to contain a virus. (For more about viruses and the Internet, see the January issue of @Internet Magazine.)

Q: Can web sites use cookies to see where I’ve been previously?
A: No, but surprisingly, any web site can get information regarding what operating system and browser software you are using (for example, Win95/Netscape), and the address of the last site you visited without using cookies! (For a demonstration, visit www.anonymizer.com/cgi-bin/snoop.pl)

Q: Do they ever go away?
A: All cookies have expiration dates (like the store-bought kind), but usually those expiration dates are either years in the future, or immediately after the web session ends, depending on what the cookie is being used for.

Q: Are cookies a security risk?
A: They could be, in a small way. If your computer is networked to others, there is a possibility that someone could access your cookie file and read it. If some of your cookies contained passwords that you use for particular web sites, that information would be readily available. To combat this, most web sites don’t set cookies with anything more than an encrypted ID number. You should also make a habit of using different passwords for web sites than you do for more critical things, like locking your computer or your ATM card.

 

The above  information was compiled by CantonSouthDakota.com, and appeared in part, as an article in @Internet magazine.