Cookies[Return to papers index]
An article on cookies - what are these little files, how do they work, what are the different types, and should you be worried about your privacy?
This is rather a long article, so feel free to skip to the summary at the end if you just want the 'bottom line'!
[Note that the discussion below assumes you have the latest version, or patch level, of your Web browser]
In recent weeks, there have been a few occasions where someone has raised the subject of Web browser cookies with me, and the range of emotions (yes, believe it or not, emotions) caused by these tiny little text files have amazed me, including:
It has been very rare indeed for me to hold a discussion with someone that understands the technology and issues in any depth, and so I hope this article will serve as a 'backgrounder' so you can:
I'm sure you will all have come across a site which says:
This kind of message is not terribly helpful, as it doesn't tell you what kind of cookie will be used, how long it will last, what information it will contain and so forth. Let's begin with:
There are, essentially, two kinds of cookie:
Here's a typical session cookie:
Name: ASPSESSIONIDXXXXXXXX (where XXXXXXXX is a random string of characters)
Note that I didn't obtain this information from a text file on my machine - this is a session cookie, and so it is simply stored in memory by the browser process. As it's due to be deleted when the browser closes (or before), there's no point storing it anywhere.
So what does it all mean? The server is identifying your browser session so that, in the event that the server needs to store information for you in memory, it can do so without:
Now, the important question - does a session cookie invade my privacy? The answer is no. Absolutely not. Here's why:
[I will discuss the options for allowing/denying cookies of all kinds in modern browsers later]
And so on to the second type of cookie - persistent. It is this kind of cookie which has caused most of the over-hyped furore in the past. The media have had great fun over the years, causing people to fear the worst when a Web site presents their browser with a cookie. Indeed, even those clever bods in the European Parliament have only recently been discussing a proposal to ban *all* cookies - the last time I looked at the proposed Directive, I don't recall there being any distinction between session and persistent cookies. I hope the legislation has either been altered or withdrawn - if it went through with no distinction, it could cost industry a fortune, as a large number of serious Web applications would have to be rewritten, by very expensive developers!
Here's a typical persistent cookie:
Now, we see a cookie being set to 'live' for 3 years. Looking at the content, it might seem rather similar to the session cookie we looked at earlier - a bunch of random characters that don't mean anything except to the server that set it. True enough, but remember this one doesn't go away when the browser closes.
When you visit the same Web site again, the server is given the cookie you allowed to be set. Does this invade your privacy? Not exactly - all your browser is doing is giving the server back the same gibberish it gave you in the first place. But it *is* now able to identify you as a previous visitor.
Now we start getting into the tricky area of privacy - the server can identify you as having visited before, and can recall any information you gave it last time. All fair enough, and may add to your overall experience (allowing the server not to present you with news stories you've read, give you back your customised colours, etc.). If you're in the habit of scrutinising persistent cookie contents, I'm sure you'd agree that the server hasn't done anything to invade your privacy - in fact, it's helped you, as you haven't had to log in, use the same IP address or anything...
The problems come about when we start looking at cookies set by banner advertising and other commonly-used Web page insertions (such as 1x1-pixel graphics, referred to as 'Web Bugs', and used for statistical usage analysis). Say, for example (!), there was a single organisation providing dynamic banner ads for lots of Web sites, or providing usage analysis for the same. That organisation would be in the unique position of being able to track Internet usage for individuals, albeit anonymous individuals.
The sticky bit comes when we consider this imaginary organisation forging relationships with other organisations, for example advertising agencies, and agreeing to share data. It is feasible that this 'anonymous' usage information could quickly be tied to real data about individuals.
So, perhaps personal privacy is being invaded right now? Well, it's possible, but unlikely - there are far more effective mechanisms for organisations to gather information on individuals than examining cookies - the amount of personal information you can retrieve from a cookie is very limited, as any site or organisation that started storing very personal information in cookies would rapidly be drummed off the Internet! However, that argument will continue - are organisations like 'fumbleclick.net' creating enormous databases of user information and integrating them with those of credit card agencies, government departments, service organisations, etc.? Somehow I doubt it - if there exists an organisation that well organised, technically competent, ethically twisted and expert in subterfuge, I would be amazed! Conspiracy theories and evidence are mutually exclusive ;o)
I'm not saying that cookies are harmless - they *can* be used to track you, but only to a limited extent, given that browsers are designed to never present a cookie from one server to a different one. Looking at the fumbleclick.net example above, if blackhats.com asked for the fumbleclick.net 'id' cookie, the browser would not give it to them (note that there have been a few issues on this front in the past, hence my mention at the beginning of running the latest version of your browser).
Let's take a quick look at how a persistent cookie can be beneficial, so that we can counteract the negatives of the previous example.
One well-known forum (discussion) application used on many Web sites stores a persistent cookie with your username and password in it, but in strongly-encrypted format. If you are the only user on your machine, allowing this cookie (you don't have to) is extremely beneficial, as after registration with the system, your password is never sent in plain-text (readable) format across the Internet - only the encrypted version is ever sent. If you did not accept the cookie (and you shouldn't if you aren't the only user on your machine), you would be sending this sensitive information in readable format across the Internet every time you logged on.
Having looked at the types of cookies and the types of information they may hold, the next obvious question is how to set your browser to accept/deny in a reasonable way - you don't want to lose the benefits of session and 'good' cookies, but you do want to reduce the risk of persistent cookies you are uncertain about. The way I have mine set up is:
How you do this in your specific browser will (obviously!) vary. If you have problems finding the right incantation, drop me a line and I'll see what I can do...
If you are very concerned about the cookies you may already have on your machine, there's no reason why you can't just delete them. Their location will vary from system to system, and many browsers offer you the function in their Options dialogs anyway.
Always remember that cookies are just small text files, and that you, as the user of a machine, have total control over them. They are not malicious little bits of software that will jump up and pass your credit card details to any dodgy Web site that asks for them. Neither are they little databases for all your personal information (note my comment earlier on the definition of 'personal information') ready for someone to access just by sending you a URL via e-mail.
There is commercial and free software out there to block and clean all manner of things from your machine (in this case, what might be referred to as 'SpyWare'), but I wouldn't recommend them for any user - - - most software of this kind will produce a huge list of potential issues, and deleting all of the offending files could seriously corrupt your system! If you would like some recommendations, please feel free to drop me a line.
Until next time, enjoy your cookies...