Cookies Assist Users While Robbing Privacy
- :: 20 Works Cited
- Length: 3702 words (10.6 double-spaced pages)
- Rating: Excellent
Abstract: Internet cookies have been around for a few years now, and have become quite widespread in usage. However, their use has attracted criticism from some privacy experts. They claim that cookies give a web site's administrator power to monitor an internet user's travel through the internet - a blatant infraction into the anonymity on the internet. What is being done to counter this claim is also discussed.
A cookie is a small text file placed by a Web server on a client's browser for identification purposes. This small text file (usually less than 1K in size) can contain information to identify a user to the Web server.1 The cookie is given during the first meeting between the browser and the Web page. During each subsequent connection to the Web server, the cookie is sent by the browser to the server along with requests for Web pages.2
This small transfer of a cookie1 may greatly convenience the internet user. By sending this identifying piece of information, the Web server can identify and tailor its Web content to its user. This enables the webmaster to develop a number of useful features such as custom formatting of the Web site, offering custom services, alerting the user of new material since last visit, keeping track of shopping baskets, etc.3
Cookies are designed to hide the user's identity and prevent harm to the user's computer. Although each browser holds cookies from different Web sites, Web servers can only retrieve cookies that were set by the same server, and no foreign web site access these cookies2.4 Furthermore although cookies reside on a user's computer, they cannot do any harm to the system as they are created as non-executable text files.5
It is the case, however, that many users fear cookies as a privacy threat to their identity. They believe that personal information can be disseminated to unknown sites with unknown consequences.6 This turns out to be only a minor threat since cookies are available only to the webmaster of the Web site that set the cookies in the first place.3 And as is the case, cookies are mostly comprised of identity information which can only be understood by the Web server which set them.7 What is at issue, however, is how Web companies can monitor, or 'track' where a user goes while on the internet. Web site tracking is useful because it allows webmasters to view how a user moves around its site, and based on this information to improve the Web site.
It can also be used, and is more often used, for targeted marketing. By seeing an advertisement on a web site, a marketing company can monitor the web site's user visits, and thus target advertisements to that user's interests.8
Cookies - A Brief History and Objective
The hypertext transfer protocol (HTTP) is a stateless mechanism of file transfer. When a client requests a Web page, a connection is made with the Web server. Once the Web server transfers the file (one connection is made for each file - be it a web page or an image), the connection between the client and the server is lost. If the same client requests another Web page, a new request is made and the Web server treats the client as one never seen before. The cookie protocol was invented to overcome stateless HTTP. Using cookies, a Web server can recognize that the client has already been serviced, and based on this information can determine how to service it further.10
The word 'cookie' was chosen by Netscape Communications Corp. for what Netscape claims as "no compelling reason."11 However, the word 'cookie' was previously used as a name for an access control mechanism under X Window System. Under this system, which was released in 1991, a variable called MIT-MAGIC-COOKIE-1 was used to store "shared plain-text 'cookies'".12 Cookies as we know them today, however, did not enter into the internet vocabulary until 1995 when its protocol was set for patenting by Lou Montulli of Netscape Communications Corp.13 And although cookies were supposedly supported under Netscape browser version 1.0, they began to be documented and used in Netscape browser version 2.0 and later.14
According to Netscape's specification, cookies are:
"a general mechanism which server side connections (such as CGI scripts) can use to both store and retrieve information on the client side of the connection. The addition of a simple, persistent, client-side state significantly extends the capabilities of Web-based client/server applications."15
The Interaction Behind Cookies
- How cookies work -
As mentioned above, a cookie is a small text file. The text file contains the following fields, all of which (with the exception of the name-value combination which must be provided by the Web server setting the cookie) have default values unless otherwise set by the Web server:17
* A name and value combination that a Web server will set and later retrieve; this name-value combination is the key used for a Web server to identify the user each time he comes back to the same host;
* An expiration field which tells the client browser when the cookie should be deleted (cookies may expire after the current session - when the browser is closed - or may last until a set date);
* A domain name which is used when searching for valid cookies to send to a Web server; the browser will only send cookies to a server with a tail-matching domain name;4
* A path attribute specifying a subset of URL's of the host that the cookie is valid for;5
* A secure mark, which if the cookie is marked, the cookie will only be transferred by the client if the connection with the host is secure.
The interaction between a (cookie enabled) server and a (cookie accepting) client is as follows:18
1. a Web browser requests a page from a Web server;
2. the Web server sends back the page as well as an instruction for the browser to write a cookie (or cookies);
3. the client writes the cookie onto its system;
4. each time the client now requests a web page, cookies are searched whether a cookie has been previously written that matches the domain and path of the host to be requested;6
5. if a cookie is found that matches the host, that cookie is sent to the Web server along with the request for a Web page;
6. the Web server receives the cookie along with the page request and can use the cookie to 'remember' the user and process the user's request appropriately.
- How cookies are used -
A very common use for cookies is exactly what it was intended for: convenience to the user. A Web site such as <my.yahoo.com> allows the user to customize its services to cater to every user. To tell users apart and to protect privacy of customized pages, <my.yahoo.com> requires a login and password. But instead of a user typing in his login and password every time he comes back to the site, with the permission of the user, <my.yahoo.com> sets a cookie on the user's computer to recognize him every time he comes back to the site. That way, the <my.yahoo.com> Web server can read the user's cookie and automatically respond with the user's customized Web page.19
Another application of cookies can be to track a user's every move through a web site. A webmaster can set a cookie once a user enters his site. Then, ever time the user requests a new page, the Web server will receive a cookie telling it who is accessing the page.20 Such tracking can be used to improve web sites by identifying pages where users usually lose interest and disconnect from the web site. It can also give a more accurate count of visitors (by counting unique cookies and not hits which can be produced by hitting the reload button).21
A major application of cookies is tracking done by marketing firms. By placing an advertisement on a Web page, the marketing firm can identify the user viewing the Web page. Knowing what the content of the page being viewed is, the marketing firm can compile a database of what web pages the user has accessed, and thus build on the interests of the user. The next time that the user accesses a page with an advertisement from the same marketing firm, the image sent as the advertisement is carefully chosen using the user's interests. However, as this kind of interest gathering is a hot topic among internet users, advertising firms often claim that tracking is used in order to make sure that the same advertisement is not viewed too often by the same user.22
Privacy Concerns with Cookies
The first and most basic privacy concern of internet users concerning cookies has been the ability of a Web server to write to a user's hard drive without the user's full consent or knowledge.23 The original browsers that supported cookies did not give the user an option to opt out of accepting a cookie. Thus cookies were introduced into the internet world without an option not to use them.24
When introduced, cookies were not yet perceived as a threat to anonymity of the user. This quickly changed as marketing firms became interested in matching user's internet usage with tailored advertising. This can only be done when a user can be identified by a Web server. Thus, once cookies became widespread, it also turned out that with the help of cookies, a Web server could gain access to the user's e-mail address, provided that the user had set up to send and receive mail on Netscape.25 Advertising companies also quickly realized that by sending HTML e-mails, they could place the user's e-mail address in the URL of an advertisement in the e-mail, and later match the cookie with the user's e-mail address.26 Thus it became clear that by using cookies, internet usage quickly lost its anonymity without the user's consent or the option to avoid being identified.
Marketing firms do not, however, need to know a user's e-mail address in order to target its audience. Identifying a user on the internet can be done anonymously, but at the same time still recognize the same user every time a web site is accessed.27 This type of tracking is harder to define as infringing on personal privacy, although many people believe that since this is done without the user's knowledge, it invades the user's privacy. On one hand, marketing firms claim, the information gained from such tracking is minimal and not intrusive. The opposite view claims that no one has the right to conduct such tracking without the proper consent of the user being tracked.28
DoubleClick Inc, the internet's largest advertising firm, has been the main target of scrutiny over web tracking using cookies.29 But DoubleClick CEO Kevin O'Connor assures people that they "have no way to correlate cookies with people's names," and only "provide frequency control for advertisers."30 Or so it used to be. With DoubleClick's acquisition of Abacus Direct Corp., a marketing firm which maintains a database of names, addresses, and shopping habits of consumers, the old view of frequency control may be coming to an end. DoubleClick has now begun matching its vast database on tracked information on 'anonymous' users to Abacus' database of names and shopping habits. The result is an end to privacy on the internet.31
DoubleClick's (as well as other advertising companies') response to growing privacy concerns is the 'opt-out' option, where a user can choose not to be monitored as he traverses the internet.32 Most users, however, do not know they are being tracked, let alone that the option not to be exists. And even if a user opts out of being tracked by DoubleClick, there is virtually no way of knowing what other marketing firms are also using the same tracking technology.33 Thus the problem remains7.
Public Opinion on Cookies and Targeted Advertising
Mostly of interest to privacy advocates concerning cookies is how many users know about them and how they use their cookie options in the browser. According to surveys conducted by The Graphics, Visualization, and Usability Center from 1994 on, a quarter of users (25%) do not know what cookies are. As for the rest, 22% always accept cookies, and about the same (23%) have their options set to warn them when accepting cookies.34
On the marketing side, over half (55%) of internet users agree that Web sites need some information about their users to market their site.35 However over 82% of users believe that "third party advertising agencies should be able to compile [user's] usage behavior across different Web sites for direct marketing purposes."36
Actions Under Consideration For and Against Cookies
There are a number of things that internet users are doing to counter the cookie invasion of privacy. The easiest and most simple is to turn off accepting cookies altogether (by setting an option on the browser). This gain of privacy is done at the price of loss of features built into the site that only function properly with cookies.37
Users sometimes use third party software which automatically delete or reject cookies.38 And if anonymity is the main concern to users, a service called The Anonymizer is available to hide users' tracks by redirecting an internet user's requests through its servers.39
For the time being, the government has not intervened to protect privacy on the internet. The Federal Trade Commission's (FTC) standpoint has been that companies will self-regulate their interests with the privacy interests of their users. In May, 2000, however, the FTC issued a report that concluded that self-regulation no longer effectively protects the user's privacy, and legislation will be needed to put internet companies in check. The FTC is yet to pass a comprehensive law to monitor cookie uses.42
* Information needs to be easily available to an internet user upon request;
* The user must be able to judge between the available choices;
* Consent must be obtained from the user before proceeding to place cookies on the user's system;
* Fair conditions for the user to be confident in the service provider;
* A system of recourse for internet users must be established in order to keep internet companies in check.10
The cookie protocol has the potential (as Web pages of today show) to be a very convenient tool to both Web users and companies. There is, however, much room for abuse, which must be kept in check by consumers and authorities alike if the internet is to continue as a private forum of information exchange. As it is today, too many users are not aware of the cookie technology, and are thus ignorant to the privacy concerns around their use. Although it is still quite easy to advert cookies, advertisers and Web companies will continue to use them in a way that makes not accepting them cumbersome. The next step is for legislation to protect privacy, and for webmasters to protect the user's privacy when using the technology known as cookies.
1 "Cookies: What are they, and why do you want to give me one?" Interlog Support Information - COOKIES. 1999. <http://www.interlog.com/cookies.html>. Accessed: 2/13/2001.
2 "So what are cookies, anyway?" The Cookie Trade: 1. <http://macworld.zdnet.com/netsmart/cookiestory.html>. Accessed: 2/13/2001.
3 "Cookies: What are they, and why do you want to give me one?"
4 "Persistent Client State: HTTP Cookies". Netscape Support Documentation: Client Side State - HTTP Cookies. 1999. <http://www.netscape.com/newsref/std/cookie_spec.html>. Accessed: 2/13/2001.
5 "Cookies and Viruses". Cookie Central. 1998. <http://www.cookiecentral.com/c_virus.htm>. Accessed: 2/13/2001.
6 "Persistent Cookie FAQ". Cookie Central. 1998. <http://www.cookiecentral.com/faq.htm>. Accessed: 2/15/2001.
7 "Cookies: What are they, and why do you want to give me one?"
8 "Cookies". Cookie Central.
9 "Cookies". Cookie Central.
10 "Comments of Netscape Concerning Consumer On-Line Privacy-P954807". April 16, 1997. <http://www.ftc.gov/bcp/privacy/wkshp97/comments2/netsc067.htm>. Accessed: 2/13/2001.
11 "Persistent Client State: HTTP Cookies".
12 "User Commands". UNIX man pages : X(1). 1991. <http://debreu.eco.utexas.edu/cgi-bin/man-cgi?X+1>. Accessed: 2/15/2001.
13 "US5774670: Persistent client state in a hypertext transfer protocol based client-server system". Intellectual Property Network. June 30, 1998. <http://www.delphion.com/details?pn=US05774670__>. Accessed: 2/15/2001.
14 "Cookies: 'New-Age Cookies' ". Roger Clarke's Cookies Page. January 13, 2001. <http://www.anu.edu.au/people/Roger.Clarke/II/Cookies.html>. Accessed: 2/13/2001.
15 "Persistent Client State: HTTP Cookies".
16 "Persistent Client State: HTTP Cookies".
17 "Persistent Client State: HTTP Cookies".
18 "Cookies: 'Background' ". Roger Clarke's Cookies Page. January 13, 2001. <http://www.anu.edu.au/people/Roger.Clarke/II/Cookies.html>. Accessed: 2/13/2001.
19 "Purpose of Cookies". The Cookie Controversy. 1998. <http://www.cookiecentral.com/ccstory/cc2.htm>. Accessed: 2/13/2001.
20 "How Web Servers' Cookies Threaten Your Privacy". Junkbusters. February 13, 2000. <http://www.junkbusters.com/ht/en/cookies.html>. Accessed: 2/13/2001.
21 "Cookies". Cookie Central.
22 "Cookies as marketing tools". The Cookie Trade: 4. <http://macworld.zdnet.com/netsmart/cookiestory4.html>. Accessed: 2/13/2001.
23 "Keeping things private". The Cookie Trade: 3. <http://macworld.zdnet.com/netsmart/cookiestory3.html>. Accessed: 2/13/2001.
24 "Cookies and Internet Privacy" Internet Privacy: The Cookie Controversy. 1998. <http://www.cookiecentral.com/ccstory/cc3.htm>. Accessed: 2/13/2001.
25 "Keeping things private". The Cookie Trade: 3.
26 "Privacy advocates call for email cookie leak to be plugged". News and Opinion on Marketing and Privacy. February 13, 2001. <http://www.junkbusters.com/ht/en/new.html>. Accessed: 2/13/2001.
27 "Cookies as marketing tools".
28 "The Dark Side". Cookie Central. 1998. <http://www.cookiecentral.com/dsm.htm>. Accessed: 2/13/2001.
29 Rodger, Will. "Activists charge DoubleClick double cross: Web users have lost privacy with the drop of a cookie, they say". USATODAY.com. June 7, 2000. <http://www.usatoday.com/life/cyber/tech/cth211.htm>. Accessed: 2/13/2001.
30 "Cookies as marketing tools".
31 Rodger, Will.
32 "Opt-Out". DoubleClick. 2001. <http://www.doubleclick.net:80/us/print.asp?asp_object_1=&title=Opt%2Dout&id=262&type=P&url=/us/corporate/privacy/opt-out.asp&OtherContent=>. Accessed: 2/13/2001.
33 "FTC drops investigation of DoubleClick". What's News at Junkbusters. February 13, 2001. <http://www.junkbusters.com/ht/en/new.html>. Accessed: 2/13/2001.
35 "Information about Users Improves Marketing of Site". GVU's Tenth WWW User Survey Graphs. October 1998. <http://www.gvu.gatech.edu/user_surveys/survey-1998-10/graphs/privacy/q61.htm>. Accessed: 2/13/2001.
36 "Advertising Networks". GVU's Tenth WWW User Survey Graphs. October 1998. <http://www.gvu.gatech.edu/user_surveys/survey-1998-10/graphs/privacy/q71.htm>. Accessed: 2/13/2001.
37 "Revenge of the cookie chompers". The Cookie Trade: 5. <http://macworld.zdnet.com/netsmart/cookiestory5.html>. Accessed: 2/13/2001.
38 "Anti-Cookie Software". The Cookie Controversy. 1998. <http://www.cookiecentral.com/ccstory/cc5.htm>. Accessed: 2/13/2001.
39 "Revenge of the cookie chompers".
40 "Amazon's new payment system includes new Web tracking technology".
41 "Microsoft's inglorious record on privacy". What's News at Junkbusters. February 13, 2001. <http://www.junkbusters.com/ht/en/new.html>. Accessed: 2/13/2001.
42 "FTC recommends privacy legislation, finally". What's News at Junkbusters. February 13, 2000. <http://www.junkbusters.com/ht/en/new.html>. Accessed: 2/16/2001.
43 "Net Users Urge Standards Group to Protect Privacy". Electronic Privacy Information Center. April 7, 1997. <http://www.epic.org/privacy/internet/cookies/ietf_letter.html>. Accessed: 2/13/2001.
Endnotes - References
1 See section "Cookie - A Brief History and Objective" for an explanation of where the word 'cookie' came from.
2 This is not completely true as a Web server has some say in what domain names will have access to the cookie being set. More on this in the next section: "Cookies - A Brief History and Objective." For the time being, however, it will suffice.
3 This is, of course, assuming that the browser cannot be tricked into thinking that a request is coming from another domain other than where it is actually coming from, in which case the browser will send cookies to the server that the Web server is not entitled to. This bug was discovered on all Internet Explorer browsers for Windows platforms. More on this topic on the Peacefire.org Web site located at <http://www.peacefire.org/security/iecookies/>. For the purpose of this paper, we will assume that bugs in the browser are not detrimental to user privacy as they are quickly patched once discovered and thus are only of historical importance.
4 'Tail-matching' means that the domain attribute will be matched against the tail of the qualifying host name. For more detailed description, see the Netscape cookie specification at <http://www.netscape.com/newsref/std/cookie_spec.html>.
5 For more information on the path attribute, see the Netscape cookie specification at <http://www.netscape.com/newsref/std/cookie_spec.html>.
6 For more information on what criteria must be met by the host for a successful search for cookies, see the Netscape cookie specification at <http://www.netscape.com/newsref/std/cookie_spec.html>.
7 The problem is not only with marketing firms. Amazon.com, for example, deliberately requires to service its advertising graphics from its own servers so as to identify (and track) Amazon.com users. For more information on Amazon.com tracking technology, see "Amazon's new payment system includes new Web tracking technology" on What's News at Junkbusters at <http://www.junkbusters.com/ht/en/new.html>.
8 Microsoft attempts to convince its users that cookies are in fact their friends and it would not be beneficial to turn them off. More on the this topic on "Microsoft's inglorious record on privacy" at What's News at Junkbusters at <http://www.junkbusters.com/ht/en/new.html>. Microsoft's information on cookies can be obtained on "Cookies: What They Are, Why You Are in Charge" at Information About Cookies on microsoft.com at the address <http://www.microsoft.com/MISC/cookies.htm>.
9 The exact words used to explain transactions were "writing and reading information on a consumer's hard disk, without explicit authorization" (see "Net Users Urge Standards Group to Protect Privacy" at the Electronic Privacy Information Center at <http://www.epic.org/privacy/internet/cookies/ietf_letter.html>). Cookies fall into this category.