SimpleHost Webstats produced by Analog 4.15

Do you want to see a





Let's Talk About Cookies:

- - - - - - - - - - - -
.::. The Cookie Concept
- - - - - - - - - - - -
.::. The Dark Side
- - - - - - - - - - - -
.::. New Technology or Existing Technology Under Attack
- - - - - - - - - - - -
.::. Government Speaks out on Cookies
- - - - - - - - - - - -
.::. Cookies and Viruses
- - - - - - - - - - - -
.::. What Went Wrong?
- - - - - - - - - - - -

.::. The Cookie Concept

The WWW is built on a very simple, but powerful premise. All material on the Web is formatted in a general, uniform format called HTML (Hypertext Markup Language), and all information requests and responses conform to a similarly standard protocol. When someone accesses a server on the Web, such as the Library of Congress, the user's Web browser will send an information request to the Library of Congress' computer. This computer is called a Web server. The Web server will respond to the request by transmitting the desired information to the user's computer. There, the user's browser will display the received information on the user's screen.

Cookies are pieces of information generated by a Web server and stored in the user's computer, ready for future access. Cookies are embedded in the HTML information flowing back and forth between the user's computer and the servers. Cookies were implemented to allow user-side customization of Web information. For example, cookies are used to personalize Web search engines, to allow users to participate in WWW-wide contests (but only once!), and to store shopping lists of items a user has selected while browsing through a virtual shopping mall.

Essentially, cookies make use of user-specific information transmitted by the Web server onto the user's computer so that the information might be available for later access by itself or other servers. In most cases, not only does the storage of personal information into a cookie go unnoticed, so does access to it. Web servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Web requests.

Cookies are based on a two-stage process. First the cookie is stored in the user's computer without their consent or knowledge. For example, with customizable Web search engines like My Yahoo!, a user selects categories of interest from the Web page. The Web server then creates a specific cookie, which is essentially a tagged string of text containing the user's preferences, and it transmits this cookie to the user's computer. The user's Web browser, if cookie-savvy, receives the cookie and stores it in a special file called a cookie list. This happens without any notification or user consent. As a result, personal information (in this case the user's category preferences) is formatted by the Web server, transmitted, and saved by the user's computer.

During the second stage, the cookie is clandestinely and automatically transferred from the user's machine to a Web server. Whenever a user directs her Web browser to display a certain Web page from the server, the browser will, without the user's knowledge, transmit the cookie containing personal information to the Web server.

.::. The Dark Side

Find out how you are traced while surfing on the Web

Using Find File, look for a file called cookies.txt (or MagicCookie if you have a Mac machine). Using a text editor, open the file and take a look. If you've been doing any browsing, the odds are about 80/20 that you'll find a cookie in there from someone called "doubleclick.net".

If you're like me, you never went to a site called "doubleclick". So how did they give you a cookie? After all, the idea of the cookie, according to the specs published by Netscape, is to make a more efficient connection between the server the delivers the cookie and the client machine which receives it. But we have never connected to "doubleclick".

Close MagicCookie, connect to the Internet, and jump to www.doubleclick.net Read all about how they are going to make money giving us cookies we don't know about, collecting data on all World Wide Web users, and delivering targeted REAL TIME marketing based on our cookies and our profiles. Pay special attention to the information at:advertising/howads.htm You'll see that the folks at "doubleclick" make the point that this entire transaction (between their server and your machine) is transparent to the user. In plain English, that means you'll never know what hit you. So what's happening is, subscribers to the doubleclick service put a "cookie request" on their home page for the DoubleClick Cookie.

When you hit such a site, it requests the cookie and take a look to see who you are, and any other information in your cookie file. It then sends a request to "doubleclick" with your ID, requesting all available marketing information about you. (They're very coy about where this information comes from, but it seems clear that at least some of it comes from your record of hitting "doubleclick" enabled sites.) You then receive specially targetted marketing banners from the site. In other words, if Helmut Newton and I log on to the same site at the exact same time, I'll see ads for wetsuits and basketballs, and Helmut will see ads for cameras. If you log in to a "doubleclick" enabled site, and it sends a request for your "doubleclick" cookie, and you don't have one, why each and every one of those sites will hand you a "doubleclick" cookie. Neat, huh? And you can bet they're going to be rolling in the cookie dough.

The main concern is that all this is done without anyone's knowledge. Some people may find the gathering of any information invasive to their privacy, but to the average level headed personal, the use of this information is harmless in itself as long as you know the limitations of these networks, who is collecting what information and for what purpose. On the other hand, what right should anyone have to collect information about me without my knowledge, and why should they break my right to privacy, you have to find the right balance between these views. One of the main issues is awareness.

So much for making the "client-server negotiation more efficient", whatever your view on tracking, the cookie protocol has certainly been manipulated for this use, against its original intent. Note that recent versions of Netscape have an option to show an alert before accepting a cookie and they also allow you to block cookies completely, see the Version 4 update and the Stopping Cookies page for more detailed information.

This is what other surfers did to work around Cookies

A suggested way to handle this was to delete the file and then replace it with a write-protected, zero-length file of the same name. It's not my suggestion (and I don't remember who did suggested it) but I did that on my system and that same zero-length, write protected file is still there. I surf to literally hundreds of WWW pages per month and if any of them handed me a "cookie", it sure didn't take. I can't provide a guarantee that this will prevent someone from handing you a "cookie" but if they do it will be very obvious by the non-zero length file size.

In Internet Explorer

Actually, if you want to keep cookies but want rid of the double-click place and other future invasions in the future, try this: Internet Explorer 3.0 no longer has a single cookies.txt it has a folder in the windows directory with lots of individual txt file inside. Find the double-click one and corrupt it so that double-click recognizes and doesn't replace it but it gives it no information. Then lock the file.

In Netscape

I have found a way to protect myself from the "Cookie Monster". My cookies.txt and netscape.hst files are set to 0 (zero) bytes and are attributed as system, hidden, and read only. This seems to work very well in Netscape Navigator 2.02 (32 bit). You can do the same thing, if you choose. There seems to be a slight problem in some of the sites that will allow you to configure them to your preferences, but I'll trade security for convenience any day. I use an app from Privnet called Internet Fast Forward. It will block out cookies (you can also filter them selectively... let certain cookies for site preferences through, block all others), ad images, images larger than a certain size in KB, images that you select. It's currently in beta, but is a very good app.

.::. New Technology or Existing Technology Under Attack

The Cookie Protocol was originally designed for consumer convenience and not to be malicious, the cookie is just another tool on the web, but it is the way in which some sites implement that tool that can cause problems, mainly privacy problems.

But, a coalition of privacy advocates is setting out to change that protocol. A new proposal being put forward to the IETF, as well as the heads of Microsoft and Netscape corporations'. If enforced, it would limit the persistence of cookies and give the user a wider choice of which cookies to allow and from where. If the new specification is implemented as a standard, it will be integrated into all mainstream browsers in time. This would give people wider options in their standard browser, rather than having to purchase additional software.

The IETF (Internet Engineering Task Force) is a non-profit organisation with thousands of members, and currently holds a lot influence on decisions deciding the future of the web, set up October 1996.

Another part of the proposal, would require browsers to at least warn before accepting cookies by default, so that cookies are less transparent to new users, and users currently unaware of cookies. "We want the defaults set in such a way that no one can send you a cookie without you knowing it," said Marc Rotenberg, director of EPIC one of the organisations that supports the new proposal.

Current Organisations backing the new proposal are: Center for Media Education, Computer Professionals for Social Responsibility, the Consumer Project on Technology, the Electronic Frontier Foundation, and the Electronic Privacy Information Center (EPIC).

The most controversial issue of the proposal is the ability to limit or altogether stop cookie requests from third party servers. This the one feature which additional client software cannot stop. This would throw the future of targeted marking firms into jeopardy. Many sites now use these companies or use banners from third party servers for their advertising. On a site that obtains its advertisements from a third party server, there would be a request on the page to the other server. Because cookie can be placed on any object, when the site requests the banner from the other site, it would then read or set a cookie.

The request for the banner then sets a cookie, then returns an advertising image. The cookie with the image request could then record what adverts had been displayed to the user and which banners they had clicked on. If the client went to another site which obtained its adverts from the same server, when that page requested the banner from the third party server it would read the same cookie then it would be able to display adverts which have been customised from the data on the cookie, so they would not see the same adverts again (unless a company paid for it to be displayed again), another variable would be set to the cookie indicating that they have visited that site, all this information gathered can be used to build up a detailed profile of the users likes, dislikes and where they go, so they target advertisement even more accurately at the user. Over a long period of time this would become very accurate. To some people having advertisements that are to their liking are not that bad. Indeed I would rather be downloading a banner that may interest me, rather than an advertisement of no relevance to me at all.

If you think of this information being gathered about you in a central place, it becomes a daunting thought. Even though these targeted marketing companies cannot use a cookie to obtain personal information from your computer like your name or e-mail address, they could however aggregate information you revealed to disparate sites. For instance, if you went to a site with lax privacy standards and decided to submit your name and e-mail address, this information may be passed on and then coupled with a database of your likes, dislikes and advertising statistics. Some contend this does not constitute an invasion of privacy, however the widespread and automated nature of this technology enables the collection of data without people’s knowledge, this certainly takes away the perceived anonymity of the web.

Some people may think this is an invasion of privacy, and others do not, but this proposal will hopefully have the outcome of giving people a choice.

Examples of these so called 'targeted marketing' companies are : Doubleclick, Focalink, Globaltrack, ADSmart, all of these companies use cookies to target advertisements at you, at their enabled sites. If the proposal goes through, and the cookie protocol amended to disallow cookies from third party servers, the future of these targeted marketing companies would be very dark indeed. Currently, the cookies used in targeted marketing are set automatically and can only follow an number of variables, users appear anonymous to these companies unless they voluntary surrender personal information.

Hopefully the proposal will result in giving you more choice and control over your privacy, because these technologies affect you, people should have the choice of controlling them.

The Persistent Cookie protocol was first developed by Netscape to maintain state in the stateless environment of HTTP. It has turned out to have many uses, good and bad, and many far from its original intent in the first place. The subject of cookies and other invasive technologies has touched on a very controversial issue of privacy, which we have temporally lost on the net. Since they were first introduced a few years ago, the protocol has changed before, in the past any site could view all the cookies in the jar, but this was coupled with more serious and concerning problems in Java. The new proposal will take a lot of time to implement, a lot of hard decisions have to be settled before the resulting standard is set. It has taken until Internet Explorer 6 before Microsoft have taken time to implement P3P. Some of those decisions may effect the futures of a lot of marketing companies, which for now are very secure.

.::. Government Speaks out on Cookies

The Energy Department's Computer Incident Advisory Capability (CIAC) recently issued a report on cookie technology and its use on the web. They deemed the general use as being ok, but did stress concern over the use of persistent cookies to target users, "Cookies are being used for tracking people's browsing habits, and that makes a lot of people really uncomfortable." The report also indicated that as long as companies maintain a good sense of ethics, inherently bad uses of cookies could be prevented. People can also have good control of the cookies stored on their system, either by manipulating their cookie files or using third party software.

The report stressed that there's a sense of paranoia involved with cookies, cookies cannot harm your computer or pass on private information such as an email address without the user's intervention in the first place. Paranoia has recently been sparked by one rumour involving AOL's new software, it claimed that AOL were planning to use cookies to obtain private information from users hard drives. Such hoaxes have not helped the reputation of cookies.

Cookies have attracted a lot of attention over recent months, the first batch of cookies were originally cooked up as simple mechanism to help make it easier for users to access their favourite sites by storing passwords, a process previously impossible due to the stateless nature of HTTP.

.::. Cookies and Viruses

What Are The Chances of Catching a Virus From a Cookie?

A normal text based cookie cannot be of any danger to your computer or spread any viruses. Whether or not other cookies can be dangerous or spread viruses has to do with whether or not a file is "executable," meaning if it's a program rather than data. UNIX files, for instance, have some combination of the properties "readable," "writable" and "executable." The executable property is necessary to enable a program in a file to do something. If a cookie is not stored in an executable format for that platform, it cannot do something hostile.

Most cookies are not executable, and I have not come across one. In general Cookies are stored as text files and cannot be of danger or pass on viruses. Even if a cookie is executable it cannot automatically spread on a virus unless you execute it. But of course with recent bugs in Internet Explorer 3.0, it will let a site run a application. In theory, if a executable cookie was set with malicious contents, then it is possible that IE3.0 could execute it, then it could affect your computer with a virus.

The maximum contents of a cookie is 4Kb, and the line to delete the contents of a hard-disk is only 18 bytes long, so obviously the virus could do some damage even though it could not be a complete Trojan horse. Please note this is only a theory and I have never seen a cookie that was able to spread a virus, this would be virtually impossible, and would take a great deal of work. This theory is trivial compared to some other very real loopholes in the net. A loophole in ActiveX was demonstrated, and was able to access the underlying file system. There has also been some security problems uncovered in Java.

Basically cookies cannot harm your computer. The general controversy is not what cookies can do to your computer, but what information they can store, and what they can pass on to servers, there is currently a new proposal to limit the features of the cookie protocol, which would give people a greater control over what cookies they can accept and from where.

.::. What Went Wrong?

So If cookies are so much of a nuisance why was they developed in the first place?

The first batch of cookies were originally cooked up as simple mechanism to help make it easier for users to access their favorite Web sites without having to go through a lengthy process of identifying themselves every time they visit. For instance, upon your first visit to a given site, you may be asked to reveal your name and perhaps even some personal or financial information required to gain access to that site in the future. The site will then place a cookie containing this information on your system and when you return it will request information based on the cookie to determine who you are and whether you have authorization to access the site.

Unfortunately, the original intent of the cookie has been subverted by some unscrupulous entities who have found a way to use this process to actually track your movements across the Web. They do this by surreptitiously planting their cookies and then retrieving them in such a way that allows them to build detailed profiles of your interests, spending habits, and lifestyle. On the surface, this practice may seem harmless and hardly worth fretting over since the worst thing most imagine is that corporate concerns will use this information to devise annoying, yet relatively innocuous advertising campaigns, targeted towards specific groups or individuals. However, it is rather scary to contemplate how such an intimate knowledge of our personal preferences and private activities might eventually be used to brand each of us as members of a particular group.

But remember a site only knows what information you have entered. Not all cookies are bad, they can also provide useful functions on the web.

Parker Information Resources
Houston, Texas

The HTML Writers Guild
Notepad only