Internet Cookies Explained

Grandma Never Baked This Kind Of Cookie!
Learn what Cookies are and what they're used for.

You would probably be surprised to learn this, but the Internet Web Sites you have been visiting may be spying on you, and even using your own computer's hard disk drive to keep detailed notes about what they see. It sounds harmless enough, but web sites can attach these files to your computer without your permission (or knowledge) and find out everywhere you visit. You may not know it, but someone may be tracing your every step right now. It's the Internet's dirty little secret, and it's called an Internet cookie.

A little-known feature of Netscape's Navigator, as well as other World Wide Web browser programs, including Microsoft's Internet Explorer, allows Web Sites to store any information about your visit that they want to by way of a file on your hard drive. Theoretically, this file can be up to 1.2 megabytes big or about the size of a medium-sized computer program.

"Cookies'' have many legitimate uses -- its use poses serious questions about privacy, security and other critical issues. Cookies, the name is certainly whimsical enough, allows any Web site that so desires to store any sort of information about your visit that they want to save, such as what specific pages you looked at and how long you looked at them. So far, very few Web sites are fully utilizing this feature, although an industry-wide forum is on the verge of standardizing cookie technology. If and when that happens, you can expect more and more Web Sites to implement activity-tracking cookie technology.

Cookie technology does not necessarily mean that Netscape, for example, monitors every step a user takes. Instead, a company with a Web site could monitor a person's use and activities while on that individual site. Web sites store the information by way of a file called ''cookies.txt'' on Windows machines and ''MagicCookie'' on the Macintosh. This information usually resides in the same directory as the Navigator (or other browser) program. These are standard text files that can be read using any word-processing program. Once the information is stored, the site will know you have been there before; it may also have an indication of what your interests are as determined by what you have looked at previously.

Because of the way that connections are made on the Internet, cookies will not automatically tell a Web site your name or address -- only that you, or someone using your computer, had visited the site before, along with whatever other information it wishes to maintain. However, it can store personal information if you voluntarily ''registered'' at the site by giving it your name, address, telephone number, e-mail address or any other personal information. From then on, all of your comings and goings will be recorded and linked to you, specifically -- even if on a subsequent visit you do not sign-in using your name. That information, in turn, could be sold to others, such as consumer marketing organizations.

Even while cookies don't always explicitly betray your identity, this feature violates two universal assumptions widely held by computer users: One is that exploring the World Wide Web is an entirely confidential and anonymous experience that leaves no record of itself. The other is that users' hard disk drives are, in effect, their castles, and should not be tampered with -- without the owner's explicit knowledge and approval.

Cookies are built into browsers and cannot be "turned off." While deleting the cookies file on your computer will erase any information that has already been stored there, if in your next session with the browser a site wants to store information on your computer, it will simply create a new cookie file.

Technically, cookies are pieces of information generated by a Web server and stored in the user's computer, ready for future access. Cookies are embedded in the HTML information flowing back and forth between the user's computer and the servers. Cookies were originally implemented to allow user-side customization of Web information. Essentially, cookies make use of user-specific information transmitted by the Web server onto the user's computer so that the information might be available for later access by itself or other servers. In most cases, not only does the storage of personal information into a cookie go unnoticed, so does access to it. Web servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Web requests.

Cookies are based on a two-stage process. First, the cookie is stored in the user's computer without his or her consent or knowledge. For example, with customizable Web search engines like My Yahoo!, a user selects categories of interest from the Web page. The Web server then creates a specific cookie, which is essentially a tagged string of text containing the user's preferences, and it transmits this cookie to the user's computer. The user's Web browser, if cookie-savvy, receives the cookie and stores it in a special file called a cookie list. This happens without any notification or user consent. As a result, personal information (in this case the user's category preferences) is formatted by the Web server, transmitted, and saved by the user's computer.

During the second stage, the cookie is clandestinely and automatically transferred from the user's machine to a Web server. Whenever a user directs his or her Web browser to display a certain Web page from the server, the browser will, without the user's knowledge, transmit the cookie containing personal information to the Web server.

Theoretically, at least, a normal text-based cookie cannot be of any danger to your computer or spread any viruses. Whether or not other cookies can be dangerous or spread viruses has to do with whether or not a file is "executable," meaning if it is a program rather than data. UNIX files, for instance, have some combination of the properties "readable," "writeable" and "executable." The executable property is necessary to enable a program in a file to perform a specific function. If a cookie is not stored in an executable format for that platform (i.e., computer), it cannot do anything hostile.

Fortunately, most cookies are not executable. Generally speaking, cookies are stored as text files and, therefore, cannot be dangerous or pass on viruses. Even if a cookie is executable, it would not automatically spread a virus unless you somehow execute it. But, of course, with recent bugs in Microsoft's Internet Explorer 3.0, it will let a site run an application. In theory, if an executable cookie was set-up with malicious content, it is certainly possible that IE3.0 could execute it, then it could infect your computer with a virus.

Basically, however, cookies do not harm your computer. The current controversy is not about what cookies can do to your computer, but what information they can store and later pass on to servers. However, if a computer hacker can penetrate a computer system utilizing this type of technology, it is going to happen sooner or later. It's simply a matter of time.

Fortunately, some browsers (Netscape, for example) will allow the user to specify that he or she is to be notified whenever a web site wants to write a cookie to the user's hard disk. (See our Netscape Navigator tips and tricks to find out how to be alerted when cookies are about to be sent to you.) The user can then decide whether or not such a write will be allowed. Typically, when rejecting a request to allow such a write, the user will be presented with a message stating that the web site and its associated programs may not function properly. Proceeding without allowing the web site to write a cookie should not, however, cause any damage to your computer even if the web site does not, in fact, work properly. Given the number of excellent alternative sources for information, the user may simply elect to refuse all cookies, and use only those site that do not attempt to read and write information to the user's computer.

The Internet is a remarkable success story. Literally trillions of bits of information travel around the world on a daily basis, connecting more than 60 million people not only with each other, but also with vast resources of data and access to numerous services around the globe. This success would not have been possible without the introduction of the World Wide Web as a tool that uniformly organizes the wide variety of media (text, graphics, pictures, sound, and video) available on the Internet so that even the inexperienced Web user has access to it all through a simple, user-friendly interface. However, the question you have to ask yourself is: Is the convenience of the WWW worth giving up what you consider to be personal, private or sensitive information?