A lot of people who don't understand Internet technology (and don't need to or want to) are worried about something called a "cookie." That's because there used to be a lot of false information floating around. Unfortunately, most of it has come true. The truth about cookies is that they allow sneaky, dishonest, and greedy businesses to track you around the web. They allow invasion of your privacy by any web site that want's to sell you something, or to sell information about you to somebody else who wants to sell you something. The best thing to do with cookies is to refuse to allow them to be set. Unfortunately, that means that you may have to give up the ability to reach certain sites without logging in each time, and you may have to give up some site customization specifically for you. You have a choice: give up some convenience, or give up your privacy. NOTICE: the domain names "zzzclick" and "zzzadults" used in some of the examples are fictitious, and any similarity to real domains is strictly coincidental. As of 08/03/2000 neither of these names was registered in the .com, .org, or .net primary domains. The author knows of no web site that implements all of the techniques described in this document. However, the author believes that several web sites exist that use some or many of the techniques described.

• What is a Cookie?
• How do Cookies Work?
• How are Cookies Used?
• Why do People Object to Cookies?
• Can a Cookie Hurt Me?
• What if I Really Don't Want Cookies?

For additional information, visit the Netscape Cookie Specification

Cookies are a general mechanism that can be used by a web site to store and retrieve information on the user's computer. The web site can only retrieve information sent to your computer by a web site in the same domain, and usually it can only retrieve information sent to your computer by itself. It cannot retrieve information sent by web sites in other domains, or any information about your computer or what else is stored on it. A cookie cannot hurt your computer or your hard disk. The use of cookies is a convenient way for greedy companies to violate your privacy so they can sell you something. Cookies are used mostly for on-line ordering systems, for tracking site navigation, for paid site access or member's only sites, for personalising web pages, and for tracking what you do and where you go on the web for privacy-invading marketing.

A cookie consists of four major parts:

• Name=Value

  This provides the kind of information (Name) and the actual data (Value).

• Expires=Date&Time

  This deletes the cookie when it's information is obsolete. If a date and time are not specified, the cookie lasts only for the "session," and goes away when you shut down your browser. (Most cookies seem to expire in 2037. I don't know why a cookie needs to last 37 years, but I think it is the longest you can set one for.)

• Domain=DomainName

  This identifies the domain that set the cookie. The domain may include one or more web sites, as long as each site is part of the same domain. Multiple-site domains are usually used for a community of interest such as several sites about dollmaking. Any cookie coming from domain "zzzClick" or any server name that begins with "ad" or "ads" is probably being used to track you.

• Path=DirectoryPath

  This identifies a subset of the possible web pages that should receive the cookie from the browser instead of all parts of the domain. Usually it identifies the particular web site within a domain if there is more than one. Any cookie coming from domain "zzzClick," or any server name that begins with "ad" or "ads" is probably being used to track you.

Your browser may store a maximum of 300 cookies on your hard disk. There can be a maximum of 20 cookies from the same domain, and each cookie may be a maximum of 4096 characters long.

When you visit a web site that uses cookies, the server can send a cookie with each page or picture that you request. Your browser stores the cookie on your hard disk for later use. The next time you visit the same web site, even in the same session, your browser sends the same cookie back to the server with your next page request. There are two things that are important here:

1. Each cookie can only be sent back to the same domain that set the cookie in the first place. If the path has been set to identify a specific web site within a domain, the cookie can only be sent back to that specific web site. Greedy companies get around this by sending at least one picture (sometimes invisible) on every page from their snooping server, whose name usually begins with the name "ad" or "ads". This technique can also be used to request and send an invisible picture from domain "zzzClick" for example. With that invisible picture comes a cookie. The cookie is sent back with the request for the invisible picture on the next page.

2. If more than one cookie is sent by the domain, all cookies that match the particular domain may be sent back. Cookies that specify a particular web site within the domain will be sent only to that web site. Cookies that do not have a particular web site specified will be sent to any web site within the domain. If part of the page includes a picture (sometimes invisible) from a snooping server, any existing cookie for the snooping server will be sent back to the snoops so they can track you.

Cookies are used mostly for the following purposes:

• On-Line Ordering Systems:

  If you have visited one of the sites that offers a shopping basket, you have seen one of the major uses of cookies. Each time you add an item to your shopping basket, the site adds the new item to a cookie that keeps track of what's in your basket. You can review what's in your shopping basket at any time, and add or delete items. When you check out, the site reviews the cookie to determine what's currently in your shopping basket. The site then sends the merchandise to you and bills it to your account. Even if you leave the site and come back another time, you'll find that your shopping basket is still there with the exact contents that it had when you left. This is because the information is retained in the cookie between visits.

  Sometimes, when the site has better financing (enough money for a database), the cookie is just the key (identifier) to your records in the site's database. In this case, the database holds the shopping cart between visits as well as a complete history of everything you have bought and every page you have visited since the first time you came to the site. If you've ordered something, they probably have your name and address and maybe your email address. If they sent you a cookie with an invisible picture from "zzzClick" you also have a key to the "zzzClick" database stored as a cookie. That means, that if you've bought something from more than one site, "zzzClick" can put you together on both sites and track you and keep personal information about you.

• Site Navigation Tracking

  A site designer is interested in how you visit the site, and where you travel on the site. This information helps him or her improve the site. One way of tracking your activity within the site is to have each page in the site add a page identifier to the cookie. By looking at the cookie, the site designer can determine how you moved around the site. By looking at a large number of cookies, the site designer can determine what parts of a site are the most popular, and what parts are hard to use. The site designer can then make the popular areas larger and the unpopular areas more interesting or easier to get to.

  Another way of tracking your activity within the site is to send you a cookie that acts as a key (identifier) in the site's database. Then the database keeps track of every page visit (and what page on what site you came from to get there). If they are affiliated with "zzzClick," then "zzzClick" will know where you came from even when it's someplace not affiliated with "zzzClick."

• Paid Site Access Registration

  Some sites have an access charge. You can only go as far as the "lobby" of the site until you pay for access. When you pay for access by credit card, the site immediately sends you an identification code in a cookie. The next time you visit the site, your identification code is read directly from the cookie. If you pay for access by a check, the site sends you an identification code by e-mail after they receive your check. The next time you visit the site, you have to type in the identification code. After that, the identification code code is stored in a cookie so that you don't have to type it in again.

  This same technique can also be used for "members only" sections of a site where most of the site is available to anyone, but restricted areas such as biographies or newsletters are available only to members.

  Brings up an interesting point: "zzzadult," is something like "zzzClick." They charge your credit card a small amount (to verify that whoever receives the bill knows about it so your kids can't use your credit card) and then send you a cookie for identification. This same cookie lets you into thousands of adults-only sites and allows you to be tracked, picture-by-picture, on every one of them along with all of your purchases tied to your credit card number and personal information. Isn't it a good thing that "zzzadult" is not affiliated with "zzzClick?"

• Personalized Web Pages

  Another use for cookies is personalization of web pages. Some sites allow you to specify the size of type or the background color. Other sites greet you by name each time you enter the site. One of the most impressive uses of personalization is a site that remembers your taste in music and then makes suggestions of what you might like to hear next. All of these sites use cookies to keep track of what you want and how your visit will be personalized.

  Now, if I understand it correctly, cookies can be used to put together what kind of music you like, what kind of books you like, what you've bought on the internet, oh, and probably your medical and financial records can be matched up by your name and address. And the beautiful thing is that it's not the cookie that does this, so they can look you in the eye and say that cookies can't be used to steal information from your hard disk and be telling the truth - because that's not how it's done. They don't need anything on your hard disk except the cookie.

There are several reasons why people object to cookies:

1. It is possible to share information between different web sites within the same domain. Some people fear that their privacy will be violated. For example, when a single Internet Service Provider is the host to several related sites, possibly as a community of interest such as dollmaking, those sites may all share cookie information. (Mimi's Dollmaker's Paradise is a single site and does not use cookies.) While this is true, it is not something to fear. There are far more serious problems.

2. A number of very large commercial sites have pooled their information together to find out more about you than you have told any one site. These sites use information you tell them about yourself to track you from site to site, even in different domains. In this case, data about you is stored in a database and used for targeting advertising or other purposes. It is not the cookie that causes this problem, or even allows it. It is simply a fact of life that everything you do on the Internet leaves records behind. The cookie just makes it much easier.

3. Some people incorrectly believe that a cookie can be used to snoop or spy upon them or their system. THIS IS NOT TRUE. A cookie cannot be used to snoop or spy.

4. Some people incorrectly believe that a cookie can be used to damage their system. THIS IS NOT TRUE. A cookie cannot be used to harm your computer or your hard disk.

It turns out that the biggest reason that people fear cookies is because of false information. People who do not understand what is really happening are afraid. If they really understood, they would be terrified.

• In a word — NO.

  • A cookie CANNOT snoop or spy on you.

  • A cookie CANNOT harm your computer or hard disk.

• In a word — YES.

  • A cookie can help greedy companies and individuals collect information about you for targeting their advertising, and for other purposes.

Here are some of the advantages of allowing cookies to be stored on your hard disk:

• If you use a shopping cart, it will be saved between sessions. If you leave the site without checking out, the contents of your shopping cart will still be there the next time you visit the same site.

• For "paid access" and "member's only" sites, You only have to type your identification code once (if at all), not once per visit or once per page. This is particularly a problem when you have many identification codes (all different) for different sites.

• If you belong to a community of interest (several web sites about the same subject in the same domain), your information can be automatically be shared among them so that you do not have to retype it each time you visit a site. The personalization information will also be maintained across sessions.

Here are some of the disadvantages of allowing cookies to be stored on your hard disk:

• If you visit a site that tracks your activity, every page you visit and every thing you buy will be in the database.

• If you visit a site that is affiliated with "zzzClick," every page you visit and every thing you buy on every affiliated site will be in the same database.

• For "paid access" and "member's only" sites, everything you do can be tracked, down to the individual pictures you look at.

Even if you really don't want cookies, it is a good idea to allow them to be set within a session. Just don't let them stay on your hard disk between sessions. This will give you some of the advantages of cookies and will get rid of some of the disadvantages. Here are some of the advantages of allowing cookies within a session:

• You only have to type your identification code once, instead of once per page, when visiting "paid access" or "member's only" sites.

• Information from the session can be shared within a community of interest. It will not be saved between sessions.

And here are some disadvantages of not allowing cookies at all:

• You generally can't use a shopping cart.

• You may have to type your identification code for every page, when visiting "paid access" or "member's only" sites. Alternately, you may not be able to visit "paid access" or "member's only" sites at all.

• Information cannot be shared within a community of interest.

If you don't want to allow cookies at all, check the help menu on your browser and look for the instructions for turning off cookies. Some versions of Netscape and Internet Explorer allow you to refuse all cookies. The "cookie manager" programs described below can also be used to refuse all cookies. If you need instructions for specific browsers, or what to do if your browser won't refuse cookies, visit http://www.junkbusters.com and click on "Cookies." (JunkBusters feels that cookies are also tied to direct mail and telemarketing - the bad guys figure out who to call based on your internet surfing habits. Spend a lot of time visiting certain types of sites, and you will start getting direct mail and telephone solicitations for whatever you've shown interest in. On the other hand, it will let you know what your kids are doing.

If you want to allow cookies within a session, but you don't to allow them to be stored on your hard disk, or you want to allow cookies only from certain sites, you will need a program called a "cookie manager." For Windows users, check http://www.thelimitsoft.com/ for the "Cookie Crusher" program. Other "cookie manager." are available through any of the major shareware sites. Search on "cookie."

If you want to clean up all the cookies, history lists, recent document lists, and everything else that can be used to see what you have been doing with your computer, you need a "washer" program. For Macintosh users, check http://www.webroot.com/macwasher.htm for the "MacWasher" program. For Windows users, check http://www.webroot.com/washer.htm for the "Window Washer" program. Other "washer" programs are available through any of the major shareware sites. Search on "cookie."

We use both "Cookie Crusher" and "Window Washer" on our computers.

If you want to surf the web totally anonymously under a ficticious name (and even accept cookies under that name), go to http://www.freedom.net or http://www.zeroknowledge.com/.

If you would like additional information about the commercial use of cookies for tracking and targeted advertising, please visit http://www.doubleclick.com/

If you would like additional information about verifying your status as an adult for the purpose of visiting sites with adult-oriented content, please visit http://www.adultcheck.com/

Copyright © Jim and Gloria Winer. You may make a copy of this article for your own personal use. Copying for commercial purposes is prohibited.

Email Jim at