Updated October 2000
This article has been translated into Belarusian (Беларускі) by Paul Bukhovko.
A cookie is a bit of information that your browser stores on your computer at the request of a web server, and passes back to the web server that created the cookie every time you talk to that web server. It is created when a web server asks your browser to store it.
Cookies can only contain information that you've already sent to a particular web site. If you've given them the information, how can this be any kind of invasion of privacy?
Cookies can not otherwise discover information about you. A cookie is NOT something that looks at things on your computer, or examines your history, or anything like that. There may be other ways that a web server can find out information about you, but these work with or without cookies -- they are unrelated (described below).
Cookies are only sent back to the web server that created them (unless your browser has a serious bug). Cookies can't leak information from a site you trust to a site that you don't trust.
Cookies are used to track "sessions". Cookies are also used as a convenience for you the user, so you don't have to type in the same info over and over again when you visit a web site. Cookies may be used for both purposes.
A session is a set of accesses that are all from the same person. If a web site that you don't trust is using cookies for this purpose, they aren't "spying" on you. If you haven't sent them information, then they don't have any idea who you are. They just know that (for example) random ID #56843065829 accessed the web site 17 times on Monday, 3 times on Wednesday, and 86 times today. They can track what links random ID #56843065829 used when getting somewhere, which may help the web site redesign its layout to be more convenient, or to know where to best put advertisements.
Most people don't find that to be nearly as sinister as they thought. There are those that feel even this amount of information is too much, but I have to wonder if these people realize that when they shop in a store, there may be people analyzing where they walk and where they stop too. The web is actually more anonymous, because they can't see what you look like, or if you are male or female, young or old.
I know of people that purposely delete their cookies after every session, or set their browser to refuse all cookies. There are even commercial products that delete the cookies (these products play on people's ignorance in my humble opinion).
If you haven't given a web site personal information, then cookies can't be used to find anything out about YOU personally. If you HAVE given a web site personal information, the primary data that they will be selling is that explicit information (e.g. what did you buy from them, and when). Cookies only add marginal information, which is less saleable: what web pages did you look at when you weren't buying anything?
The most sinister part of the whole cookie thing is in Ad Banners provided by companies such as doubleclick.com. You may get a web page from kaopectate.com, but it may have an ad banner at the top, which is retrieved from doubleclick.com. This allows doubleclick.com to set a cookie, and also lets doubleclick.com know that you've visited kaopectate.com (the ad banner will be requested with a URL that has this info embedded in it, for example "http://doubleclick.com/truck_ad?advertiser=kaopectate.com", although it will be encoded so that you can't read it).
What this means is that doubleclick.com can track your movement across any site that they advertise on. Again though, they can't correlate your name to your clicks, unless they've already got your name some other way. Unfortunately, they can probably get it from any company they advertise on, which means that if you give your name to kaopectate.com, you may be giving it to doubleclick.com, who in term may sell it to all of the other companies that carry their ad.
This just makes it all the more important that you don't do business with
companies without reading their privacy statements, and also making sure
they're a reputable business.
Other ways of gaining information
While cookies can't be used to capture explicit information about you,
other methods that can be used. Once the information is captured,
it can be stored in cookies, or stored on the web server, or whatever.
The main point is that the cookies don't add any extra danger to these
HTTP specifies what your browser says to a web server when it wants to retrieve a file. An optional part of this specification is that your browser can send your email address to the web server on every request. If your web browser does this, the server can easily track sessions without using cookies, and it can also correlate these sessions to you, since finding your real name from your email address is usually pretty easy.
I've tested Netscape for this behaviour and it doesn't send this information, but I don't use Netscape for email, so that may be why. I've heard that Netscape never sends this information, but I havn't confirmed that. I've also heard that some versions of Internet Exploiter do send this information. I havn't confirmed that either.
Auth and Finger
Many computers run a network service called auth. Auth is used to ask a computer the name of the user that initiated a connection. When you connect to a web server it often tries to do an auth back to your computer, saying "who just connected to my web server". If you're foolish enough to be running an auth service, they now know who you are. Some operating systems come with auth turned on by default, but I don't know which ones.
Finger is similar to auth but less specific. Finger just lets the web server ask "give me the names of everyone on the computer right now". Since most multi-user systems usually only have one user logged in, this is generally enough for the web server to find out who you are.
ActiveX doesn't have bugs, ActiveX is a bug, because it lets anyone run anything on your computer. There are far greater dangers there than just losing a little privacy.
Cookies can't grab information from you. Only you can give up information.
|My Home||Professional Home||TomSaraZac Home||Work Email|