|
Without a doubt, the most frequent questions we are asked have to do with the confusion caused by the term “cookies.” Many people believe that cookies are viruses and should be removed; others have been told that they’re completely harmless. As usual, the truth lies somewhere in between.
Right off, the answer to the question: Why is it called a cookie? The name “cookie” comes from fortune cookies, because of the hidden information inside. That information is “data” and is no more dangerous than any other text file on your PC. A cookie can’t snoop, self-replicate, call another computer, send out infected e-mails or any other act. The problem occurs only when the data contained within a cookie is “mined” for a malicious purpose. But, even if it is, most of the time the data is so benign that it’s practically useless for hackers. Read on:
Much of the confusion is because there are, in reality, many different types of cookies.
The first difference is between so-called “session” cookies, which are temporary cookies which expire when you close your surfing session, and “persistent” cookies (sometimes called “web beacons”) which remain on your hard drive until they expire after a specified period or you purposely erase them. Obviously the session cookies pose no problem. So we’re only talking about persistent cookies here.
Originally, the term cookie referred to what we can call plain old browser cookies. Basically, this type of cookie is a simple text file written to your computer by a web site that you have visited. It contains some very basic information about you such as the date and time of your last visit to that site, how you like your start page to look, a randomly generated customer number or site visitor number and the like. It can’t be much, as they’re limited to 4kb in size. These “first party” or “HTML” cookies have the purpose of personalizing the information that you see on that web site based on the data it retrieves from the cookie stored on your computer. So there is a beneficial purpose to this type of cookie; when you return to a previously visited web site, it loads faster and takes you where you want to go. Furthermore, there’s nothing remotely useful contained within it that would personally identify you or cause you any damage if it got into criminal hands. In theory, a site can read and change only its own cookies but, of course, there can be exceptions to this general rule.
So “first party” cookies are the good cookies. They gather extremely limited data from you for use only on that web site. For example, that’s how Amazon.com powers its recommendations to you or a site remembers that, last time you visited, you read the site in French.
Now come the “bad” cookies, also called “third party” or “tracking” cookies. These cookies are able to monitor your web surfing across the Web, and therefore they can be of significant commercial value. From these cookies, companies can see that you’ve been interested in Tiffany lamps, or an Apple iPhone, or travel to New York. And these cookies are not only generated by the site you visited, but any portals that you used to get there (e.g. Yahoo or Travelocity). Consider the number of these sites you visit each time you’re surfing the net and you can see how these advertisers can get a very clear picture of your purchasing and viewing habits. Third party cookies are of absolutely no benefit to the user and exist only for the monetary gain of advertisers, who have “hitched a ride” on legitimate web sites that you may have visited. Because they can be used to track users’ interests on the Internet for marketing purposes, they have sometimes been characterized as an invasion of privacy (view the Wall Street Journal article which caused such a stir). But these types of cookies are combined with a device known as a “web beacon,” which is what causes the tracking, not the cookie itself.
Now, there’s nothing illegal or criminal about third party cookies. You’ve put yourself out in the public domain via your computer and this is part of the price you must pay. And some tracking cookies don’t take advantage of web surfers and are more or less legitimate in their intent. But many computer users do view it as some degree of invasion of their personal privacy.
Most web browsers provide a setting to block cookies if you want. But its not a good idea to block first party cookies, because then many harmless web-based applications won’t work. You may not be able to view many sites, or your on-line banking program won’t let you connect to their servers.
Third party cookies are another matter. Even though some browsers such as Internet Explorer purport to block third party cookies from sites that don’t post a particular type of policy statement called the Platform for Privacy Preferences (a/k/a “P3P”) which is a protocol allowing websites to declare their intended use of information they collect, this has generally been recognized to be of little use. You’ve got to do more. To do this, you must delve into the security settings of your browser and manually block such third party cookies. Here’s how:
In Internet Explorer 7 or 8 click Tools on the Menu Bar, then Internet Options from the drop-down menu, then Privacy. Under Settings, click on the Advanced button (NOT the Advanced Tab), and UNcheck Accept third-party cookies. Save and Exit. In Internet Explorer 9, as well as Firefox and Google Chrome, a setting for “Do Not Track” technology has been introduced; however, it is presently up to the website hosts to decide if they really want to comply with user’s requests for privacy.
In older versions of Firefox, click Tools, Options, then Privacy. Under Cookie settings, choose Restrict How Third Party Cookies Can Be Used. The procedure for Chrome is the same, except Privacy is called Under the Hood.
Some countries are considering enacting “cookie laws” which would require users’ consent before allowing sites to use cookies for visitors. The U.K. has said that it would consider the legislation next year, giving sites a year to consider voluntary solutions to the issue. The U.S., as usual, can’t make up its mind.
And, of course, if you happen to miss these tracking cookies, or they manage to get through, you can always use any of the free or paid anti-spyware software to eliminate them after the fact.
But Wait! We’re not quite done. As you would imagine, once we find a way to eliminate the bad stuff, the bad guys just get more creative. Their latest ploy is to attach large “Flash” cookies (as large as 100kb) to Adobe Flash Player. You know, that’s the free software that’s on virtually all computers that allows you to view animation on most websites on the internet. Created by Adobe in 1997, flash cookies don’t use first or third party cookies but instead uses something somewhat like cookies called Local Shared Objects (“LSOs”). Click HERE for the Adobe explanation about what flash cookies are. And the LSO can be set on your computer even if you don’t see a Flash presentation because, by default, Flash accepts all third party LSOs. And none of the currently available anti-spyware programs detect LSOs. How about that!
Moreover, unlike standard cookies, some vendors have figured out how to create self-restoring Flash cookies, a/k/a “zombie cookies,” cookies which return to life even after they’ve been removed and sent to their death. This happens because, when you visit some sites, they will put cookies not only on your browser, but also duplicates into the Flash LSO, so that when you go back to those sites, they first check to see if you have stored the standard cookies and, if none are found, they next check the LSOs to see if the duplicates are available and, if so, they are used to reconstruct the original cookies and return them to their rightful place. Because they provide online purveyors with a secret way to keep tabs on users, they can be annoying and possibly harmful. It is estimated that more than 75% of online videos are delivered using Flash technology, and that companies with names such as Clearspring Technologies, Specific Media and Quantcast are using to create user profiles that can contain a surprising amount of personal data to identify individuals. In 2010, at least half a dozen lawsuits have been filed against Fox Entertainment, Walt Disney Internet Group and NBC Universal accusing them of using Flash cookies to track users who downloaded videos on those sites, even when the users thought they had erased the cookies.
Finally, there’s the Evercookie, which also isn’t quite a real cookie, but rather a JavaScript programming tool created in 2010 by the notorious Samy Kamkar, the creator of the Samy worm which infected over a million MySpace accounts back in 1997 and went to jail for it. He calls it the Evercookie because it’s intended to stay on your computer, somewhere, forever. The Evercookie is also self-regenerating, because it is planted in at least ten different places on your computer, such that if a common cookie-removal tool deletes it in one place, it is restored from another. [Luckily the Evercookie can be blocked by disabling active scripting (or at least asking for a prompt before running scripts) at the custom level of Internet settings. Similar outs exist for Firefox and Chrome browsers. Also, for Firefox, there’s a plug in called “Nevercookie” from Anonomyzer labs that claims to do the trick.]
So, what to do? Flash give you some control over blocking third party LSOs, but not all of them. You must go to Adobe’s Flash Player Settings Manager (click HERE), click on the Website Privacy Settings tab and view the LSOs on your computer (keeping in mind that this isn’t all of them, only those that the program running on your computer can retrieve) and delete any LSOs you don’t want.
If you want to prevent Flash from storing any third party LSOs at all, click on the second tab from the left in the Manager to view the Global Storage Settings dialogue and then uncheck Allow Third Party Flash Content To Store Data On Your Computer.
Beware, however, that blocking these third party cookies may result in some sites failing to load or load completely. If that’s the case, you have a choice to make about how important that site is to you.
Also, you can attempt to opt out of as many individual advertising offenders as possible in a direct fashion: For example, for DoubleClick, you can go to the opt out page where it purports to prevent DoubleClick from placing a unique cookie on your computer which would otherwise enable them to track you across the sites you visit. But you would have to do this for every advertiser you could locate.
Think you’re out of the woods yet? Never! Consider the increasing use of HTML5 to code web pages which, by using a process which makes it possible to store large amounts of data on a user’s hard drive while online, also makes it possible for advertisers and others to see weeks and months of personal browsing data at the same time.
By the way, Microsoft’s Silverlight, a distant competitor to Flash, also allows its version of LSOs, but has no controls to block such third party cookies, although at the moment it’s used on relatively few PCs. Another reason that I don’t recommend Silverlight. [Incidentally, you can’t access Silverlight controls from the Silverlight main page, you have to right click anywhere on a Silverlight site page, then choose the Configuration Tool, Application Storage tab to at least wipe out isolated Storage cookies for specific sites.]
Related: So, you might ask, how do those annoying pop-up ads know where I live? You know, those pop-up ads from available women in my area who are just dying to “date” me. How do they know where I live? Do they have some kind of inside knowledge or are they hacking my computer? Nope. You should know that the IP “address” which identifies your computer on the Internet does have some basic information, such as the general geographic area in which the computer is located. For more about how advertisers use this information, see Social Networking, in the Privacy section. Your data is being “mined.” But this “IP Geolocation” can also be useful in the reverse - for example, you can determine that the “girl next door” is actually located in Russia the “geotag” on her photo will include precise location information. Nothing to worry about - your IP address is only general and then only the equivalent to your P.O. Address. Nothing more is shared.
These, then, are the main things you should know about cookies. Of course, as we get smarter about protecting our on-line privacy, companies will always have the financial incentive to stay one step ahead of us in their quest to separate us from our shopping dollars, or worse.
|
