Chunky chocolate chip. That's the first thing that comes to mind when someone mentions cookies. Today's article will contain two tips. The first is always use a glass that is wider than the cookie for dunking in milk; otherwise you'll only have a small portion of the cookie dunkable at a time.
Now, on to the tip for which you're probably reading this article. I'm sure that many people have read or heard opinions about cookies, how they are truly evil and can take over your life. There are a lot of free and inexpensive programs to eliminate or help control cookies, and the initial response when presented with an option to accept a cookie is usually not to do so. But what information are cookies actually gathering? Are cookies really dangerous? And the most important question is should you care?
The first thing to consider is what are valid uses of cookies.
- When browsing to a Web mail site such as Yahoo or Hotmail, a cookie can be used to remember your login name. This can save you the trouble of typing it in again. Cookies will also usually be used to store authentication information for a session. What this means is that while you are browsing back and forth in your Web mail session, a cookie can make sure that you won't have to trouble yourself typing in your password each time you go back and forth between viewing your list of e-mails, address book and sending mail options.
- When browsing to a news site, cookies can be used to keep track of the type of news that you prefer, so as to present you with your preferred type of news (sports, world, technology, etc) automatically.
- Any time that a Web site remembers something about you, it is probably a cookie that is enables it to do so.
Now that we've acknowledged that there are benevolent and theoretically useful reasons for using cookies, there are two major points that must also be considered before coming to a conclusion (other than the conclusion that chunky chocolate chip are the best kind).
- Almost all functions that are associated with cookies can be replicated using other technologies. Cookies may be among the easiest ways to do things, but they are not absolutely necessary for a Web site to function.
- The grand majority of cookies that will end up on your computer will not be from the Web sites (and servers) that you browse to.
Let's take an example. Having just enabled the option in my browser to ask every time a server attempts to save a cookie, I browsed to one of the sites on which I like to read IT news. Normally I set my browser to never accept cookies, so I was expecting to get one or two from the site (for my username and viewing preferences). Imagine my astonishment to get cookies from three servers that are in no way related to the site that I was browsing, in addition to two from that site.
Further investigation (viewing the source of the page in my browser and looking up the companies who ran the servers that sent the cookies) yielded the fact that the advertising banners on the site were being pulled from other servers (run by marketing companies), and those servers were submitting the cookies.
Going back and forth to different pages within the site and monitoring any addition to or query of the cookies in question, revealed that the information of what pages and what banners I viewed and clicked was being sent back to the servers. Being as the cookies were stored on my computer, this also applied to any later times when I closed my browser, restarted it and went back to the site.
How does this affect most people? The majority of the population probably doesn't care. Marketing companies will continue to collect data about their online habits including browsing, shopping and any other related activities, and it will probably never become apparent to them. For organizations with privacy policies or those people like me who feel that their privacy is violated, there are not very many things that can be done about it other than not to accept cookies. Some content filtering firewalls have the ability to strip cookies from any browsing, some personal firewall software packages claim to be able to only allow cookies that will not include personal information, but in the end the only thing that can ensure that cookies will not be used to violate your privacy is not to accept them.
For most sites, one can get by easily without having to accept any cookies. Approving cookies on a case-by-case basis will increase the amount of effort that a person will have to put into their online experience and will probably be too much for most. One option available in the latest revision of some browsers is to only accept cookies from sites that are specifically browsed to, although that does not prevent the owners of these servers from collecting information about an individual. While organizations can implement technologies to enforce the security and privacy of users, what individuals do is up to them, and unfortunately, we are once again witness to a situation where we see the conflict between security and ease of use.
About the author
Jeffrey Posluns is the founder of SecuritySage, a leading-edge information security and privacy consulting firm. Prior to SecuritySage, Jeffrey founded and co-founded several e-commerce and security initiatives, where he served as President and/or Chief Technology Officer. He is looked to as an authority to speak on information security and privacy related issues and trends at conferences, in law enforcement forums and in the media. He is a regular speaker at industry conferences organized by such groups as the Information Systems Audit and Control Association (ISACA) and the Association of Certified Fraud Examiners (ACFE). Jeffrey is also a trainer for the Certified Information Systems Security Professional (CISSP) certification course.
This was first published in January 2003