Untangling the Web

Cookies: Just a Little Data Snack

by Keith C. Ivey

To read the New York Times Web site, you must open a free user account and log in each time you visit. That means yet another user name and password to remember. Fortunately, if you always use the same computer, you can set up your account so that you're logged in automatically whenever you connect to the site. The site does that by using cookies -- another of those silly-sounding bits of programmers' vocabulary that have crept into mainstream coverage of the Internet. But over the past year or so, this practice has become controversial because some people view it as an invasion of privacy. Others have bought into rumors or read inaccurate press reports suggesting that cookies threaten the security of their hard drives.

What are cookies?

In Web programming terminology, a cookie is a short string of characters that a Web server can pass to a Web browser and that the browser can then return to that server whenever it connects to it again. Often the cookie is simply a customer ID or user number that can be used to retrieve user preferences or other information from a database.

Programmers used the term cookie or magic cookie to refer to similar pieces of information for years before the Web existed. The Jargon File (http://earthspace.net/jargon/) defines cookie as follows:

A handle, transaction ID, or other token of agreement between cooperating programs. "I give him a packet, he gives me back a cookie." The claim check you get from a dry-cleaning shop is a perfect mundane example of a cookie; the only thing it's useful for is to relate a later transaction to this one (so you get the same clothes back).

What are cookies used for?

The Web works through transient connections established between a browser and a server. Each time you request a page, graphic, or other file from a Web site, a connection is established, the file is transferred, and the connection is terminated. It's not like logging on to your local network with a continuous connection.

Consequently, it's not easy for the Web server to determine that the person requesting a page now is the same as the one who requested a page a minute ago. And for some applications, it's necessary to know that. Cookies are one way for Web site programmers to overcome this limitation.

Many sites use cookies to make things more convenient for visitors. As well as storing passwords when security isn't particularly important, as the New York Times does, cookies can allow a site to "remember" user preferences and customize the page view the next time a user visits. For example, some Web stores use cookies so that people who order frequently don't have to reenter their shipping addresses and other order information every time. Other sites use them to show what has changed since the last time a person visited.

What's so controversial?

Popular reaction against cookies has caused some sites to stop using them. Although some concern may be warranted, and some people may want to take steps to control the use of cookies on their systems, there's no reason to panic and toss the cookies out with the wrapper.

Giving up cookies entirely, just because you're worried about problems, many of which are imaginary, is an overreaction that will keep you from getting full use out of some Web sites.

Misinformation in the media

A good deal of the controversy comes from confusion about what cookies are and what can be done with them, much of it fed by inaccurate reporting. The spread of myths about insidious cookies resembles the spread of virus hoaxes (as discussed in my article "Hoaxes, Scams, and Rumors"). In fact, one myth is that cookies can infect your computer with viruses. They can't, because they aren't programs.

For example, the November 4, 1996, issue of Forbes falsely claimed, "If a Web-site operator were so inclined, he could design a cookie that would snoop through a user's hard drive, looking for something that resembles a Social Security number or a bank balance." Cookies are not programs, and they provide no way to "snoop through a user's hard drive." (Such a thing might be possible with ActiveX, JavaScript, or buggy implementations of Java -- all of which should worry users more than cookies.)

Cookies can't read private information (e-mail address, credit card number, and so on) from your computer. The only information that can be passed through cookies is information that the site wrote to your cookie file earlier. So if a cookie contains your e-mail address (which is unlikely), it's because you gave your address to the site in the first place.

Tracking for advertising purposes

One legitimate concern (in some people's view) is the surreptitious use of cookies by "targeted marketing" companies to track Web visitors and customize the ads displayed. Companies do this tracking by exploiting a loophole in the way cookies work. The banner graphics for the ads are hosted on servers different from those that host the pages the ads appear on, but the cookies can still be passed to the browser along with the graphics.

Thus, by getting other sites to host pages containing their banners, the marketers can track people who haven't actually visited the marketers' own sites. They can see that the person viewing an ad on AltaVista is probably the same one who was viewing an ad on the Dilbert Zone earlier in the day. But they won't know who the person is, and they can't even be sure it's the same person, since computers are often shared. Future changes to the way cookies work may make this trick more difficult.

Although tracking is anonymous, it does allow the agencies to avoid showing the same ad to someone repeatedly and even to build up a record of pages someone has visited and use that record to determine which ads to display. Some people find that practice disturbing; others figure that if they have to see ads, they might as well see ads that interest them.

What can you do about cookies?

Many browsers can be set to alert you when a site tries to set a cookie and allow you to decide whether you want it to be set. Unfortunately, these features are fairly limited, and it's annoying to reject or accept cookies for the same sites over and over.

If you really want to take control of your cookies without a lot of hassle, you need third-party software that works with your browser to manage them. Cookie Central (see sidebar) has information about Windows and Macintosh software, together with links to sites where you can download trial versions.

Cookie Resources

• Malcolm's Guide to Persistent Cookies (http://www.emf.net/~mal/ cookiesinfo.html [24 Jul 1998: no longer exists]) and Andy's HTTP Cookie Notes (http://www.illuminatus.com/ cookie.fcgi) provide an introduction to cookies as well as technical information on how to use cookies on your own site.
• The Electronic Privacy Information Center Cookies Page (http://epic.org/privacy/internet/cookies/) covers issues related to cookies and privacy.
• Cookie Central (http://cookiecentral.com) is a frustrating site. It contains a lot of useful information and links, but too much of it is poorly written or misleading, and there's no indication of who's responsible for it. Cookie Central includes a discussion of the "dark side" of cookies, describing how targeted marketing companies track visitors across sites. Maybe I missed an irony alert somewhere, but it seems more than a little odd that this section of the site itself contains third-party advertising banners that set cookies.