Locking Your Cookies In The Oven

Not Vanilla

Cookies on the web come in many flavors, but they are usually not vanilla; rather, they contain much sensitive information. Cookies are files generated by web sites you visit, manipulated using data on your computer and stored on your computer. These cookie files are then used the next time you visit the web site for a variety of purposes, ranging from benign to amusing to invasive of your privacy.

Let’s say you visit the news web site that enables you to select custom views so that you can focus on the stories that are of greatest interest to you. While defining your customized page, the web site probably stores that information in a cookie file that it then sends to you for storage on your computer. Next time you visit that site, you get your customized view because the site reads the cookie file it stored on your machine and sets up the view. The files are so small that you do not even notice that you are sending something; you only see the result. This is a useful implementation of cookies.

Let’s say you are shopping in an online store that has multiple departments. You may go from page to page, viewing items and selecting some for purchase. In all likelihood, that information is being processed and stored on your computer. Once you decide to go to the purchase area (please tell me you only purchase from sites that go into "secure" mode!), the web site will retrieve the cookie file that contains your selection, process them, and give you the total price and delivery information. This, too, is a useful implementation of the cookie files.

The Darker Side of Cookies

There are, however, darker implementations of cookies. Cookies may be stored on your computer in a special directory, in files named something like youraccount@site.txt where your account is your email address up to the @ sign and site is the name of the site without the preceding www or succeeding com or org. Now let’s say I am site www.snooper.com. You visit me and I use my nefarious techniques to collect all the cookies on your system. I used those cookies to build a database of sites you have visited, and I do this for everybody who visits my site. Now I have a database that has site preferences for a variety of people who are identified by their email address. I can sell that database to spammers or others who would then send you advertisements based on your preferences.

You may not view this as a serious breach of privacy, but it is a way that somebody is collecting information about you without your knowledge or approval. Now imagine that I also send the full text of your cookies to an analyzer that looks at the cookie contents. While most contents are encoded to make reading their content difficult, there are still many pieces of information that may be deduced or understood from systems that are not careful about the content of the cookie files they store on your computer. Perhaps now I can collect some more personal information, such as the books you read or the magazines you order or even the type of clothing you prefer. The meaning here is plain: your personal preferences and buying habits can become publicly available without your consent.

Stopping Cookies

There are some useful cookie files that I wouldn’t want to be without, including my custom views of news and other sites. There are some cookie files that are unimportant to me. Fortunately, I can control the transfer of cookie files to my computer. If I set my browser preferences appropriately, the browser will prompt me for approval prior to accepting any cookie files from any site. Therefore, each time a site attempts to send me a cookie, I can approve or disapprove it. One nice thing about setting this preference is that you see just how many cookies are being sent to your system as you jump from site to site. (Try it – you’ll be surprised!)

The nice thing about this preference is that I can prevent cookies from sites I do not know and, therefore, do not trust. There are even techniques in use on the net to help me determine whether the site is a "legitimate" site doing business on the net. These are site certificates, now being offered by a variety of trust brokers on the net. I’ll have more to say on that in a future column.) The idea behind stopping cookies from entering my computer is that I can prevent un-trusted sites from storing information on my computer. However, this does not prevent a site from getting cookies already stored on my computer.

Out ability to stop the flow of cookies is one way only. Once a cookie is on your system, there is nothing you can do to prevent a site from grabbing that cookie. You can, however, delete or hide the cookie files. If you delete the files, you lose your customized site information and other information that is truly useful. There is a fairly new product available for free at http://www.luckman.com. This is a cookie anonymizer. You can temporarily "hide" your cookies from prying sites. This way, you can have your cookies when you want them and protect yourself at other times. (Have your cookie and eat it, too?)

Are You A Target

You may not believe you have been spied upon, but you probably have cookies on your site whose primary job is to collect information about you. Look at your cookie directory and find a cookie whose name is youraccount@DoubleClick.txt or something like that. DoubleClick is an organization that collects information about Internet users and uses it for marketing purposes. In particular, DoubleClick’s cookie collects information about the sites you visit and uses that information to target the ads you see at various sites on the net to the preferences it infers from your site visits.

It may not matter to you that you have a DoubleClick cookie on your computer. The issue is that a cookie can enter your system and be used without your knowledge, and that is the invasion of privacy. It may be quite surprising to you to discover that the DoubleClick cookie may have been placed on your computer while you were visiting very well known and ostensibly trustworthy sites such as AltaVista, USA Today, and even the Dilbert Zone.

Consider your privacy when you surf the web. Of course, you need not let these concerns ruin your experience, just protect yourself by setting your browser to let you control cookies and exercise some good judgement. Don’t surf anywhere you wouldn’t visit personally.