P. F. (Pat) Anderson

Internet Cookies: How Edible Are They?

"HealthTech Column" in Health Care on the Internet 2(1), 1998.

P. F. Anderson, Media Librarian
Barnes Learning Resources Center
Galter Health Sciences Library
Northwestern University
303 East Chicago Avenue
Chicago IL
60611-3008
pfa@nwu.edu

Table of Contents

Intro
Last week a colleague at another health science school called with a question. She told me her school had only recently made Internet access available through their computer lab, and they were experiencing a variety of problems in helping their students adjust to the new toy. I could certainly imagine a number of problems which might have come up, but most of the problems I imagined had to do more with the social dynamics of Internet access in a less than private environment. Much to my surprise, her biggest concern had to do with cookies!

What is a Cookie and Why Should You Care?

Briefly, a cookie is a techie shorthand for a way to maintain a persistent client-side state. In translation, cookies allow web site providers to track information abou patterns of use by individual users of their web site. Without cookies, the information gathered by web site providers tends to be limited to how many hits, and from what domains. Some servers gather a bit more, but typically when you are using the Web, you are anonymous, there is no trail among the web sites you frequent to show which other web sites you are using or how often you visit a particular site or any other related information.

Right now, cookies are a political hot potato in web culture. While they offer substantially increased functionality to the users by allowing web sites to simplfy and potentially customize portionso f the web site to the specific user, this is done at the risk of comprising the privacy of the users. An analogy might be the frequent buyer cards some grocery stores offer, which offer the shopper price discounts in exchange for a detailed accurate tracking of the purchasing patterns of the individual shopper, with the potential for selling that information gathered to other interested third parties. Another similar technology is the use of Caller ID by retail services which sell primarily over the phone.

Like grocery stores, most of the web sites limit use of the information to internal purposes, but consumer watchdogs are concerned because of the potential for abuse of the information. If you are a regular Web user, chances are your computer has agreed to accept offers of cookies from other sites without you ever being aware of the transaction. Organizations like the Center for Democracy and Technology (http://www.cdt.org/), Electronic Privacy Information Center (http://epic.org/), and the Electronic Foundation Federation (http://www.eff.org/) have expressed strong reservations about the use of cookies, especially that use of cookies is generally transparent to the user, so people are not aware that their activities are being watched.

Who Uses Cookies?

Cookies can be used by virtually any web site provider, but currently tend to be used mostly by commercial sites or sites which are primarily supported by commercial advertising. Examples of some of the better known sites using cookies include Amazon Bookstore, A. T. & T., CDNow (a music superstore), Disney, HotWired and Microsoft. Most of the major search engines also use cookies, such as Excite and Infoseek, and a great many of the best known news sites, such as the New York Times Online. Just because these are general interest sites, don't make the mistake of thinking that health information seekers are immune -- Medical Matrix, one of the largest collections of health and medical web links, uses cookies.

Because of the negative reaction from various watchdog organizations and a general outcry among users, excessive or unnecessary use of cookies is considered to be poor web design. One web design instructor of my acquaintance goes so far as to call it "rude." Opinions range to the other extreme as well, with some users who see cookies as a way to potentially get free merchandise and entertaining mailing lists. Persons of that persuasion sometimes go as far as to seek out pages which offer cookies. The best example of this other extreme is Robert Brooks' Cookie Taste Test (http://www.geocities.com/SoHo/4535/cookie.html), which attempts to list all known sites which offer cookies, although at the time of this article, he was not listing health or medical sites which used cookies.

What Are They Doing With Cookies?

Most sites using cookies are actually making good use of them. Sites which require registration may use cookies to remember who you are, or remember your password for you. Sites which provide commercial advertising (usually banners across the top and bottom of pages) can use cookies to attempt to show you only ads which will be of genuine interest to you, ie. targeted marketing. Sites funded by investors or public service organizations may be trying to prove they are reaching their intended target audience.

What Could They Do With Cookies?

The watchdogs are right when they say it should make people nervous to think that everytime you use a search engine, someone knows what you searched for, and what links you actually visited. Now consider that the possibility exists that information gathered by one site and identified by your e-mail address could be connected to information stored by a different site and also identified by your e-mail address.

Now imagine that you have been searching the web for information about drugs to treat a particularly personal disease, and that this information is somehow connected to a file retrieved by your health insurance company, who then raises your rates without checking to see whether you have the disease yourself, or a friend has it, or simply read an interesting piece of fiction in the New Yorker!

This is not currently possible. Sites can only read or write to cookies from the same server as the one which sent the original cookie. However, the same way cookies were developed because they met a useful function for the programmers and designers of web systems, it would possible to code something to do this, if the powers that be felt it was desirable.

To see how parts of the advertising and marketing community have been working on refining this type of use of cookies, try visiting http://www.doubleclick.net/, especially http://www.doubleclick.net/advertising/howads.htm.

What Can't They Do With Cookies?

There are a number of concerns about potential uses of cookies that are not possible. One is that it is a small step to go from allowing a server somewhere to write small pieces of code on your local machine, to giving that server access to browse your hard drive and see what you have. Again, this is not currently a feasible use of cookies.

How do I Find Out What Cookies I Have Already Accepted?

The cookies are stored on your hard drive, and can be opened with any text editor, even your regular word processor. I would not recommend editing the file, but it is certainly possible to look at it and get an idea of what's been going on. In Windows, the easiest way is to use the Find File command to search for a file called cookie.txt, then use your text editor to open that file. On the Macintosh, go to the System Folder, Preferences Folder, Netscape Folder, and open the file called "MagicCookie." The cookie file will look something like this: 

# Netscape HTTP Cookie File
# http://www.netscape.com/newsref/std/cookie_spec.html
# This is a generated file!  Do not edit.

.excite.com	TRUE	/	FALSE	946641600	UID	BC448EF6373C74E5
.infoseek.com	TRUE	/	FALSE	897102622	InfoseekUserId	586C3C61E0C8AFA0FF504C9706ACE5F2
.hotwired.com	TRUE	/	FALSE	946684799	p_uniqid	zo9KnNNNzcqm6/s29D

This cookie file is for an imaginary person who has visited Excite, Infoseek, and HotWired, which you probably already figured out. The rest of each line is code which can be decrypted by the database which receives and stores information at the server side. You have no way of knowing what the code represents or what other information they have linked to your ID.

How do I Stop Cookies?

There are a great many options for controlling cookies on your own computer. The one most people try first is to reset the settings from their browser, something which is supported in both Netscape and Microsoft Internet Explorer, recent versions. Earlier versions of the browsers gave no control over cookies to the user, simply accepting all cookies. There are so many browsers and platforms which have slightly different ways to do this, that I leave it to you to explore your menus until you find the setting for accepting cookies. Just a warning, though -- this tells the computer to ask you for permission every single time a server tries to send a cookie, which can be once for every image on a page, if the site is designed poorly. This is why it is also known as the "Annoy Me" button.

A low-tech solution is simply to edit your cookie file periodically (some people do this with every web session), and empty the file by deleting all the cookies. Or you can set the cookie file to read-only. Some people have written small batch files which delete the file everytime Netscape is started up. These solutions, while offering you privacy without interfering with your freedom to surf, by not allowing cookies to be created will require that for sites which require registration you must register as a new user everytime you visit the site. Naturally, if it is a passworded site, you will need to remember your password yourself.

A number of concerned individuals and corporations have created more sophisticated solutions. Each of these has its own strengths and weaknesses. Usually the site which offers the resource will include an FAQ describing the advantages and disadvantages of their product. One of the easiest to use is the well known Anonymizer (http://www.anonymizer.com/). You simply set the Anonymizer web site as your homepage, and it allows you to browse the web in privacy. It is possible to configure the Anonymizer to present you as a particular fictious account (although not for e-mail purposes). Some regular users of the Anonymizer have found it helpful to register for one of their high-speed accounts.

Many of the other products to provide you with privacy on the web are actually utilities for your computer. Some examples of these are: Additional programs can be downloaded from a variety of shareware libraries. For Windows: Cookie Cruncher, Cookie Pal, Cookie Crusher, Cookie Web Kit, and Crumbler. For the Macintosh: CookieCutter, NoMoreCookies, ScapeGoat (which also stops animated gifs - one of my personal pet peeves), and WebFree.

So What's the Bottom Line?

The bottom line is that only you can decide what is more important to you: a certain level of privacy, or convenience and ease of use on the Web. Hopefully, this has given you some of the information to make an informed decision. For additional information, you may want to check some of the resources and articles listed at the end of this article. In the meantime, I wish you safe and secure surfing.

Recommended Articles about Cookies

Barr, Christopher. "The Truth about cookies." C|Net.
URL: http://www.cnet.com/Content/Voices/Barr/042996/

Michelsen, Greg; Rein, Lisa. "Five reasons people find cookies objectionable & how to address them." Netscape World, February 1997.
URL: http://www.netscapeworld.com/netscapeworld/nw-02-1997/nw-02-cookie2.html

Negrino, Tom. "Netsmart: The Cookie Trade." Macworld. (Macworld Online Special Report.).
URLs:

Sullivan, Eamonn. "Are Web-based cookies a treat or a recipe for trouble?" PC Week, June 26, 1996.
URL: http://www.8.zdnet.com/pcweek/reviews/0624/24cook2.html

Related Resources

Sidebar: Cookie Demo Sites

 For a fairly discrete example of the type information commonly collected by cookies, you might want to visit the Center for Democracy and Technology's "Privacy Demonstration Page."

URL: http://www.cdt.org/ (choose "Privacy Demonstration Page"), or try going in directly for a different response, at: http://13x.com/cgi-bin/cdt/snoop.pl

If you use one of the major internet access providers, such as America Online, Compuserve, MSN, or Prodigy, you might want to also look at the CDT's "Online Services Policies Chart," which show the approach taken by the major providers toward the privacy of their clients and sharing of the clients' personal information. URL: http://www.cdt.com/privacy/online_services/chart.html

Date last modified: September 12, 1997.
Return to Bibliography.
Return to Pat's Pro Page.
URL of current page: http://www-personal.umich.edu/~pfa/pro/articles/cookie.html