It Ain't All Cookies and Cream

by Marc Slayton
Webmonkey, Nov. 1996
Republished with permission

Not long ago, I wrote an article explaining how cookies work; I wasn't really prepared for the amount of mail I received in response. After reading through several pieces of insightful commentary and a few abusive rants, I realized that in addition to the growing number of Internet denizens who want to know more about cookies, there's an equally large faction who question whether cookies are a good idea at all.

One Geek Talk (Geek Talk is a column written by Marc Slayton for Webmonkey) reader summed up the cookie debate like this:

Imagine you're at home eating a TV dinner you just purchased from your local grocery. Suddenly a sly-looking store clerk appears in your dining room window and starts taking pictures of you.

"Hey, buddy!" you complain, angrily pointing at the camera. "What gives you the right to come in here with that thing? This is private property."

"Well," he replies "you bought those groceries at my store, you see—and we have a right to keep our shelves stocked with the latest in popular consumer products. It's for your own good you understand." He grins, and continues taking pictures of your lawn, your bathroom, your bedroom, your pantry, etc.

Sure, it's a little dramatic, but I think it illustrates many people's fears. Anyway you look at it, cookies are used to track people, and that makes a lot of people uncomfortable. When used well, cookies give Web site developers valuable clues about who's visiting their sites; this can help them prepare for the future and determine what appeals to their audience. With the proper cookie scheme, they can tell which demographic group goes where, and how many people are interested in a particular product or service. They can even use cookies to tell whether a particular column or advertisement is attracting enough attention to keep it around. For the maintainer of a Web site, this information can be invaluable.

On the other hand, personal privacy is a sensitive issue, and the Net is a place where privacy can easily be violated. If you've ever received an unsolicited e-mail message, you know what I mean. It's a sad fact, but the Internet is full of organizations that abuse the trust of their subscribers.

But unlike e-mail, cookies are largely hidden from the user's view, which makes them seem a little scarier. But cookies aren't the primary source for tracking users' movements on the Web. Just about every Web site tracks its visitors to some degree—with or without HTTP cookies. In fact, cookies are merely a slight enhancement to a tool that developers have used since the Web's inception: log files.

Servers store information about the requests they receive in log files. These files contain detailed information about every single request the server receives, including where the request came from, what time the visitor showed up, and what pages he or she looked at.

And there's more—any systems administrator worth half his salary can scan these log files and tell exactly how many times a given computer has accessed a site in a given hour, day, month, etc. Compared to log files, cookies only provide a tiny piece of added tracking ability. They allow developers to look at their traffic on the big-picture level and to recognize individual users instead of just machines.

Cookie abuse

There are several ways Web sites misuse cookies (sometimes inadvertently). For example, a Web site may choose to store a "membership" password unencrypted within a cookie. This isn't a good idea, since anyone who sees that cookie can easily read the password, and gain access to that site under the user's name. Passwords stored in cookies should always be encrypted.

There's also the question of how Web sites use specific demographic information. Let's say you run a site that happens to contain information on how to make pipe bombs or grow marijuana. Does the government have the right to subpoena your records to find out who's reading that information? The answer varies from country to country, but for some people, this makes accepting a cookie the equivalent of being under surveillance.

What you can do

Depending on how they're used, cookies may or may not be a threat to your privacy. Here's a quick list of things you can do if you're not comfortable with cookies:

Many newer browsers, including Netscape Navigator 3.0 and Microsoft Internet Explorer 3.0, contain an option for warning users any time a server tries to set an HTTP cookie. Users can then usually look over a cookie's contents before accepting or denying it. Most cookies don't contain anything more than a tracking number, or a username and encrypted password.

If you use this option, you may choose to set only those cookies you find valuable or that come from a site whose reputation you respect. Of course, there are so many Web servers using cookies today that it can quickly become too annoying to accept or deny each and every one—especially when surfing a site that attempts to set several cookies per page.
You can force most browsers to refuse all cookies with a simple trick—make the file where your browser stores its cookies nonreadable. Windows95, Mac, and Unix systems all have file-locking methods that you can use to accomplish this (check your platform's user manual). Once you do this, browsers like Netscape or Internet Explorer will "skip over" any attempt to set a cookie, and erase their cache of session cookies the next time you quit and restart the browser.

Eventually, I think most Web browsers (particularly those in the public domain) will come with an option to refuse all cookies. The trade-off will be that you may lose some of the added functionality cookies provide. You probably won't be able to use shopping carts, and you may have trouble logging into many password-authenticated Web sites.
Another option on some sites is to use an anonymous account when you log into a password-protected area. If you dig around, you'll find some sites have these accounts already in place for users who are sensitive about revealing their identities.

A few years ago, a group of technically savvy privacy advocates called the Cypherpunks predicted membership would become a trend on the Web and quickly set about creating anonymous password accounts on a number of the early membership-touting Web sites. Many of these accounts still exist, usually using "cypherpunk" or "cypherpunks" as both the name and password.

Anonymous accounts frequently come under attack because they give users the ability to post abusive anonymous rants to community areas (which rely on consistent identity to hold members accountable for their words and actions). Still, the idea persists, and is often espoused as a solution for those who are sensitive about their privacy.

Marc Slayton writes a regular column for Webmonkey.