Novermber 1998
Updated October 2000
This article has been translated into Belarusian (Беларускі) by Paul Bukhovko.

Use of Cookies Considered Safe

An INCREDIBLY big deal has been made over the use of cookies at various sites. For the most part, this has been mindless, ignorant chatter, with no rational basis.

What exactly is a cookie?

A cookie is a bit of information that your browser stores on your computer at the request of a web server, and passes back to the web server that created the cookie every time you talk to that web server. It is created when a web server asks your browser to store it.

Cookies can only contain information that you've already sent to a particular web site. If you've given them the information, how can this be any kind of invasion of privacy?

Cookies can not otherwise discover information about you. A cookie is NOT something that looks at things on your computer, or examines your history, or anything like that. There may be other ways that a web server can find out information about you, but these work with or without cookies -- they are unrelated (described below).

Cookies are only sent back to the web server that created them (unless your browser has a serious bug). Cookies can't leak information from a site you trust to a site that you don't trust.

What's the point?

Cookies are used to track "sessions". Cookies are also used as a convenience for you the user, so you don't have to type in the same info over and over again when you visit a web site. Cookies may be used for both purposes.

A session is a set of accesses that are all from the same person. If a web site that you don't trust is using cookies for this purpose, they aren't "spying" on you. If you haven't sent them information, then they don't have any idea who you are. They just know that (for example) random ID #56843065829 accessed the web site 17 times on Monday, 3 times on Wednesday, and 86 times today. They can track what links random ID #56843065829 used when getting somewhere, which may help the web site redesign its layout to be more convenient, or to know where to best put advertisements.

Most people don't find that to be nearly as sinister as they thought. There are those that feel even this amount of information is too much, but I have to wonder if these people realize that when they shop in a store, there may be people analyzing where they walk and where they stop too. The web is actually more anonymous, because they can't see what you look like, or if you are male or female, young or old.

Cookies can also store information that you've sent them. For instance, if you shop there, they may store some sort of user id in a cookie so that it is easier to "log in" to that web site on future visits. In this case, they can relate the sessions to you personally. They can also sell that information -- but this has nothing to do with cookies: you've given them personal information, they can sell it regardless of whether or not they use cookies. If you don't want them to sell your personal information, I suggest you only do business with reputable web sites, and also make sure to read their statements on the use of personal information. Also, make sure they are running a secure server.

I know of people that purposely delete their cookies after every session, or set their browser to refuse all cookies. There are even commercial products that delete the cookies (these products play on people's ignorance in my humble opinion).

If you haven't given a web site personal information, then cookies can't be used to find anything out about YOU personally. If you HAVE given a web site personal information, the primary data that they will be selling is that explicit information (e.g. what did you buy from them, and when). Cookies only add marginal information, which is less saleable: what web pages did you look at when you weren't buying anything?

Cookies in Ad Banners

The most sinister part of the whole cookie thing is in Ad Banners provided by companies such as doubleclick.com. You may get a web page from kaopectate.com, but it may have an ad banner at the top, which is retrieved from doubleclick.com. This allows doubleclick.com to set a cookie, and also lets doubleclick.com know that you've visited kaopectate.com (the ad banner will be requested with a URL that has this info embedded in it, for example "http://doubleclick.com/truck_ad?advertiser=kaopectate.com", although it will be encoded so that you can't read it).

What this means is that doubleclick.com can track your movement across any site that they advertise on. Again though, they can't correlate your name to your clicks, unless they've already got your name some other way. Unfortunately, they can probably get it from any company they advertise on, which means that if you give your name to kaopectate.com, you may be giving it to doubleclick.com, who in term may sell it to all of the other companies that carry their ad.

This just makes it all the more important that you don't do business with companies without reading their privacy statements, and also making sure they're a reputable business.

Other ways of gaining information

While cookies can't be used to capture explicit information about you, there are other methods that can be used. Once the information is captured, it can be stored in cookies, or stored on the web server, or whatever. The main point is that the cookies don't add any extra danger to these problems.

From:
HTTP specifies what your browser says to a web server when it wants to retrieve a file. An optional part of this specification is that your browser can send your email address to the web server on every request. If your web browser does this, the server can easily track sessions without using cookies, and it can also correlate these sessions to you, since finding your real name from your email address is usually pretty easy.

I've tested Netscape for this behaviour and it doesn't send this information, but I don't use Netscape for email, so that may be why. I've heard that Netscape never sends this information, but I havn't confirmed that. I've also heard that some versions of Internet Exploiter do send this information. I havn't confirmed that either.

Auth and Finger
Many computers run a network service called auth. Auth is used to ask a computer the name of the user that initiated a connection. When you connect to a web server it often tries to do an auth back to your computer, saying "who just connected to my web server". If you're foolish enough to be running an auth service, they now know who you are. Some operating systems come with auth turned on by default, but I don't know which ones.

Finger is similar to auth but less specific. Finger just lets the web server ask "give me the names of everyone on the computer right now". Since most multi-user systems usually only have one user logged in, this is generally enough for the web server to find out who you are.

Software Bugs
Web browsers are software, and as such tend to have bugs. In particular, JavaScript has had quite a few bugs. JavaScript is a software enhancement that lets servers reprogram some features of your browser. It is supposed to hide all personal information (for instance your history list), but there have been bugs that allow JavaScript programs to access this information and send it back to the server (this is sometimes done with cookies, but can be done just as easily with a regular web request).

ActiveX doesn't have bugs, ActiveX is a bug, because it lets anyone run anything on your computer. There are far greater dangers there than just losing a little privacy.

Summary, Advice

Cookies can't grab information from you. Only you can give up information.

Instead of worrying about cookies, try to do the following: Disable auth, finger, and any other similar services that might be available on your computer. Make sure you have the latest version of JavaScript to reduce the chances of a software bug getting through. Don't allow ActiveX at all. Don't use browser software that you don't trust. And most importantly, don't do business with on-line companies that you don't trust, or don't know anything about.


Tom Fine's Home Send Me Email