Without a doubt, the most frequent questions we are asked have to do with the confusion caused by the term “cookies.” Many people believe that cookies are viruses and should be removed; others have been told that they’re completely harmless. As usual, the truth lies somewhere in between.
WHAT IS A COOKIE?
The cookie was invented by a programmer named Lou Montulli when he worked at Netscape. He has said that he invented the cookie in order to make the web “more efficient” and never intended the “unintended consequence” that is would be used as a tracking device.
Much of the confusion is because there are, in reality, many different types of cookies.
SESSION vs PERSISTENT COOKIES
The first difference is between so-called “session” cookies, which are temporary cookies which expire when you close your surfing session, and “persistent” cookies (sometimes called “web beacons" or “tracking cookies”) which remain on your hard drive until they expire after a specified period or you purposely erase them. Obviously the session cookies pose no problem. So we’re only talking about persistent cookies here.
FIRST PARTY COOKIES
Originally, the term cookie referred to what we can call plain old browser cookies. Basically, this type of cookie is a simple text file written to your computer by a web site that you have visited. It contains some very basic information about you such as the date and time of your last visit to that site, how you like your start page to look, a randomly generated customer number or site visitor number and the like. It can’t be much, as they’re limited to 4kb in size. These “first party” or “HTML” cookies have the purpose of personalizing the information that you see on that web site based on the data it retrieves from the cookie stored on your computer. So there is a beneficial purpose to this type of cookie; when you return to a previously visited web site, it loads faster and takes you where you want to go. Furthermore, there’s nothing remotely useful contained within it that would personally identify you or cause you any damage if it got into criminal hands. In theory, a site can read and change only its own cookies but, of course, there can be exceptions to this general rule.
So “first party” cookies are the good cookies. They gather extremely limited data from you for use only on that web site. For example, that’s how Amazon.com powers its recommendations to you or a site remembers that, last time you visited, you read the site in French.
THIRD PARTY COOKIES
Now come the “bad” cookies, also called “third party” or “tracking” cookies. These cookies are able to monitor your web surfing across the Web, and therefore they can be of significant commercial value. From these cookies, companies can see that you’ve been interested in Tiffany lamps, or an Apple iPhone, or travel to New York. And these cookies are not only generated by the site you visited, but any portals that you used to get there (e.g. Yahoo or Travelocity). Consider the number of these sites you visit each time you’re surfing the net and you can see how these advertisers can get a very clear picture (called a “fingerprint”) of your purchasing and viewing habits. Third party cookies are of absolutely no benefit to the user and exist only for the monetary gain of advertisers, who have “hitched a ride” on legitimate web sites that you may have visited. Because they can be used to track users’ interests on the Internet for marketing purposes, they have sometimes been characterized as an invasion of privacy (view the Wall Street Journal article which caused such a stir). But these types of cookies are combined with a device known as a “web beacon,” which is what causes the tracking, not the cookie itself.
Now, there’s nothing illegal or criminal about third party cookies. You’ve put yourself out in the public domain via your computer and this is part of the price you must pay. And some tracking cookies don’t take advantage of web surfers and are more or less legitimate in their intent. But many computer users do view it as some degree of invasion of their personal privacy.
FLASH COOKIES AND LSOs
But Wait! We’re not quite done. As you would imagine, once we find a way to eliminate the bad stuff, the bad guys just get more creative. Their latest ploy is to attach large “Flash” cookies (as large as 100kb) to Adobe Flash Player. You know, that’s the free software that’s on virtually all computers that allows you to view animation on most websites on the internet. Created by Adobe in 1997, flash cookies don’t use first or third party cookies but instead uses something somewhat like cookies called Local Shared Objects (“LSOs”). Click HERE for the Adobe explanation about what flash cookies are. And the LSO can be set on your computer even if you don’t see a Flash presentation because, by default, Flash accepts all third party LSOs. And none of the currently available anti-spyware programs detect LSOs. How about that!
Moreover, unlike standard cookies, some vendors have figured out how to create self-restoring Flash cookies, a/k/a “zombie cookies,” cookies which return to life even after they’ve been removed and sent to their death. This happens because, when you visit some sites, they will put cookies not only on your browser, but also duplicates into the Flash LSO, so that when you go back to those sites, they first check to see if you have stored the standard cookies and, if none are found, they next check the LSOs to see if the duplicates are available and, if so, they are used to reconstruct the original cookies and return them to their rightful place. Because they provide online purveyors with a secret way to keep tabs on users, they can be annoying and possibly harmful. It is estimated that more than 75% of online videos are delivered using Flash technology, and that companies with names such as Clearspring Technologies, Specific Media and Quantcast are using to create user profiles that can contain a surprising amount of personal data to identify individuals. In 2010, at least half a dozen lawsuits have been filed against Fox Entertainment, Walt Disney Internet Group and NBC Universal accusing them of using Flash cookies to track users who downloaded videos on those sites, even when the users thought they had erased the cookies.
So, what to do? Flash give you some control over blocking third party LSOs, but not all of them. You must go to Adobe’s Flash Player Settings Manager (click HERE), click on the Website Privacy Settings tab and view the LSOs on your computer (keeping in mind that this isn’t all of them, only those that the program running on your computer can retrieve) and delete any LSOs you don’t want.
If you want to prevent Flash from storing any third party LSOs at all, click on the second tab from the left in the Manager to view the Global Storage Settings dialogue and then uncheck Allow Third Party Flash Content To Store Data On Your Computer.
Beware, however, that blocking these third party cookies may result in some sites failing to load or load completely. If that’s the case, you have a choice to make about how important that site is to you.
Also, you can attempt to opt out of as many individual advertising offenders as possible in a direct fashion: For example, for DoubleClick, you can go to the opt out page where it purports to prevent DoubleClick from placing a unique cookie on your computer which would otherwise enable them to track you across the sites you visit. But you would have to do this for every advertiser you could locate.
HTML5 & SILVERLIGHT
Think you’re out of the woods yet? Never! Consider the increasing use of HTML5 to code web pages which, by using a process which makes it possible to store large amounts of data on a user’s hard drive while online, also makes it possible for advertisers and others to see weeks and months of personal browsing data at the same time.
By the way, Microsoft’s Silverlight, a distant competitor to Flash, also allows its version of LSOs, but has no controls to block such third party cookies, although at the moment it’s used on relatively few PCs. Another reason that I don’t recommend Silverlight. [Incidentally, you can’t access Silverlight controls from the Silverlight main page, you have to right click anywhere on a Silverlight site page, then choose the Configuration Tool, Application Storage tab to at least wipe out isolated Storage cookies for specific sites.]
HOW DO THEY KNOW ME?
HOW TO BLOCK COOKIES
Most web browsers provide a setting to block cookies if you want. But its not a good idea to block first party cookies, because then many harmless and desirable web-based applications won’t work. You may not be able to view many sites, or your on-line banking program won’t let you connect to their servers.
Third party cookies are another matter. Even though some browsers such as Internet Explorer purport to block third party cookies from sites that don’t post a particular type of policy statement called the Platform for Privacy Preferences (a/k/a “P3P”) which is a protocol allowing websites to declare their intended use of information they collect, this has generally been recognized to be of little use. You’ve got to do more. To do this, you must delve into the security settings of your browser and manually block such third party cookies. Here’s how:
In Internet Explorer 7 or 8 click Tools on the Menu Bar, then Internet Options from the drop-down menu, then Privacy. Under Settings, click on the Advanced button (NOT the Advanced Tab), and UNcheck Accept third-party cookies. Save and Exit.
In Internet Explorer 10, there are several different places you have to go: First, click the “gear” icon, then Internet Options, then the Privacy tab and select from six privacy options or customize one of your own. But, because these settings only apply to HTML cookies and not supercookies, you also have to click on Tools, then select Delete Browsing History, selecting appropriate options. Next, turn on the Do Not Track option by clicking on the Advanced tab in Internet Options, scrolling down and selecting the Always send Do Not Track header (or click Tools/Tracking Protection and the browser will open with Tracking Protection highlighted. Click on Your Personalized List to highlight it, then click on the Enable button on the lower right corner of the Add-ons window. Deselecting the list will link you to Get a Tracking Protection List online, which will provide you with an even more extensive (third party) list. IE10 will then block all data from going out to the selected sites. For browsing security, you can get some Internet protection, in the Tools menu, by enabling InPrivate Browsing. Finally, in Internet Options, you can click on the Privacy tab and check the Never allow websites to request your physical location box, and in the Advanced tab you can uncheck the DOM storage box to prevent supercookies from using local storage.
In Internet Explorer 9, as well as Firefox (at Options, Privacy, clicking Tracking: Tell sites that I do not want to be tracked and also Never remember history or custom settings; disabling DOM storage is more complex) and Google Chrome (click the three-bar icon on the upper right of the Toolbar, select Settings, then Show Advanced Settings to get to Privacy, where you can manage the settings) a setting for “Do Not Track” technology has been introduced. Chrome includes an Incognito mode for private browsing, but unfortunately it can’t be set as the default as you can with Firefox. And Chrome won’t prevent supercookies from using local storage, unless you prevent all cookies from doing so. (Of course, Google’s mission is to promote its advertisers, so no wonder it’s difficult to opt out!) No matter what, however, it is presently up to the website hosts to decide if they really want to comply with user’s requests for privacy.
In older versions of Firefox, click Tools, Options, then Privacy. Under Cookie settings, choose Restrict How Third Party Cookies Can Be Used. The procedure for Chrome is the same, except Privacy is called Under the Hood.
And, of course, if you happen to miss these tracking cookies, or they manage to get through, you can always use any of the free or paid anti-spyware software to eliminate them after the fact. Or use an onion router like Tor to avoid detection completely.
STILL, FOLLOW THE MONEY...
Don’t get too smug, even if you follow all of the guidelines. Companies like Google aren’t going to give up trying to get your money. In September, 2013 Google announced that it was going to give up using cookies as an online tracking tool. And they may well do so. But at the same time sources tell us that Google is developing an anonymous identifier for advertising (“AdID”) that would replace third party cookies and would be transmitted to advertisers that have agreed to “basic guidelines” which would “give consumers privacy and control over how they browse the Web”. Right...
Startups are attempting to deliver, without cookies, tracking data comparable to that which cookies collect. A company named AddThis in Vienna, Virginia has created a technique called “canvas fingerprinting” where a website makes visiting computers draw an object and can tell machines apart based on slight variations. Already, more than 100,000 websites (the top 5%) listed by web rating system Alexa are employing this feature to track users. And because there is no opt-out and it is not detected as a tracking cookie, there’s very little you can do about it right now. Other startups like BlueCava, Drawbridge and Tapad are all working on tracking services and software that will be able to link PC, smartphones, tablets and even smart TVs to identify them for tracking purposes. For the moment, your cell phone and apps are safe, but probably not for long.
DO I HAVE ANY LEGAL PROTECTION FROM COOKIES?
HOW CAN I TRACK MY COOKIES?
On a more advanced level, if you are interested in seeing what’s inside your browser cookies, there are a couple of ways. You can use your browser ‘s own tools, or there are deeper third-party tools available. Because browser cookies are specific to the browser they are created on, you will have to navigate to the (sometimes hidden) folder on your computer, usually in the user profile. To go deeper, you could use NirSoft’s FlashCookiesView, IECookiesView or MozillaCookiesView apps.
These, then, are the main things you should know about cookies. Of course, as we get smarter about protecting our on-line privacy, companies will always have the financial incentive to stay one step ahead of us in their quest to separate us from our shopping dollars, or worse.