If you've heard Internet slang thrown around, you probably heard someone reference "cookies". What are cookies, how do they work, and what do they mean for your privacy? This article covers the basics.
For many Web surfers, the term "cookie" is tainted with a McCarthy-esque flavor and the bitter aftertaste of privacy violation. Some believe cookies are nefarious devices that allow evil websites to track everything a user does online, or that they allow access to personal information. Fortunately, cookies are nothing of the sort.
- Cookies are primarily preference files for each website, that can be stored on your machine.
- Cookies can't store anything they don't already know about you; and to know anything about you, they generally have to watch or ask.
Static versus Dynamic Websites
Static websites are just files with a bunch of links that you click on to read other files. I call it the point-and-grunt interface; "Uh, me wanna read that." This works fine for many tasks, but the person behind the browser has to continually ask for everything they might want, each time they visit, because the site can't remember anything about the user or their desires.
When you go to a dynamic (smart) website, like Amazon or eBay, you occasionally do more than just point-and-grunt; you might need to log in, post a response, set up preferences or buy something. The cookie is a place to remember who you are, or your settings. And you can set things up only once, instead of every time you visit.
Cookies versus Account based preferences
Some sites require cookies to save preferences, others do not. That's because if you're on a website that has an account (requires you to login, etc), then they're already storing stuff about you on their servers... so they can just store your preferences there too.
Tradeoffs of account based preferences:
- The disadvantages of account based is when you go back to the site, if you're not logged in, then no preferences. Once you log in, they know who you are, and can turn on your preferences.
- The advantage of account based systems is the preferences are coupled with your account -- so if you go to someone else's computer, and login, then viola -- your preferences apply. But only after you login. It also means that if there are multiple users of that machine, each can have their own preferences -- as long as you are logging out, and logging in as each person. (The preference follows the login).
When you look at cooke based preferences you get different tradeoffs:
- The advantage of cookies based systems who you are by being on a machine. So whenever you go to that machine, you get those preferences. No login required.
- The disadvantage is it only knows that machine is accessing the site (not which user). If it's the family computer, then it knows the families preference, not each individual. And if you go to another machine and go to the website, it has no idea who you are. (The cookie is on the other machine).
Monkey see, monkey do
While a cookie (or website) can't read your mind, you may be telling it more than you think, and it can infer some things. So a site can be very observant and can adapt to you. Sites can see if 90 percent of your clicks (within that site) were on topics relating to bird-watching, so when you come back, it can customize things to show you pages or ads about bird-watching. By watching what your machine does, they can learn your interest. For many, this is creepy.
The conspiracy theory is that if a site can watch you, it can spy on you, and share that information with others, and before you know it, your online hiking club will know that you bought viagra online. But the reality is that sites don't usually share that much information from one site to another, and don't really care what your other interests are. They try to build a profile of demographically who you are (your income, race, interests, etc), but it's everything that advertisers care about selling you. It's not like they care about you, and want to share that information with others.
Who are you?
Cookies don't know who YOU are. A cookie usually remembers preferences by machine; so it knows what a machine has done, but not a user.
- If you and your teenager share the same machine, and both visit Amazon, the cookie/site can knows that machine is interested in both the Beatles and Britney Spears, but it can't associate which one of you cares about which... unless you log in to the site separately and identify who is using that machine. And if you do that, then they know who you are without the cookie.
- If you go to the same site from home and work, a site doesn't know that it is the same person; again, unless you logged in.
And in all cases, the information they know about you is the information you gave them. Even without cookies, sites can figure out most of this information -- cookies just allow the site to remember it from visit to visit.
Now cookies aren't always secure. You can often snoop the cookies of the machine you are on. So web-programmers generally don't put private information in the cookie; but there are a few idiots in every business, and these are who the privacy paranoids are worried about. In theory, they could save something like your password in clear text, or some other bit of PII (Personally Identifiable Information) in a cookie. So when you go to a site, you're trusting that the developers of that site aren't complete morons. Which is a pretty big assumption.
But remember, if someone has access to your machine (and can snoop your cookies), they can probably find out a lot more sensitive data than just what's in the cookie. So don't let people use your machine that you don't trust. And be careful about logging into websites from other people's machines; especially public or shared computers like libraries or college computer labs.
In theory, a programmer or hacker, can create a website that could try to "spoof" your browser, and read the information that some other site put in their cookie. But you'd still have to visit the hackers website to enable them to get that information, and there are "secure" cookies to prevent that. So this isn't a huge threat.
Networking : Bots, Crawlers and Spiders, oh my! • EMail • Network Casting and Subnets • Never trust the Internet • Web Basics • Web Search Basics • What is DNS? • What is a WebApp? •
Written 2002.05.27 • Edited: 2018.04.15