Russell Vardell CECS 5420 12 December 1997 The Paper : Have a Cookie? "everytime a schmo surfs to a different channel, the Demosphere notes that he is bored with Program A and more interested, for the moment, in Program B. When a schmo's paycheck is delivered over the I-way, the number on the bottom line is plotted in his Profile, and if that schmo got it by telecommuting we know that too -- the length of his coffee breaks and the size of his bladder are an open book to us. When a schmo buys something on the I-way it goes into his Profile, and if it happens to be something that he recently saw advertised, we call that interesting, and when he uses the I-way to phone his friends and family, we Profile Auditors can navigate his social web out to a gazillion fractal iterations, the friends of his friends of his friends of his friends, what they buy and what they watch and if there's a correlation." ---- Neil Stephenson's "Spew" (1995) What this author relates as a future occupation (Profile Auditor) and a future pitfall (the "Profile" of consumers) has yet to take place actually; however, some worried "net-izens" are fearful that such technology may not be far off, in fact in may already be baking as "Cookies." Cookies (or "persistent cookies," or "Magic Cookies"for computer users are pieces of data, small files, stored on a user's hard drive after visiting a web site. The cookie is placed there by means of the web browser. Data stored by cookie can be retrieved after subsequent visits to the same web site, as the cookie placer can read the stored data. Such data reflects movement across the Web and might include a user name, maybe a password, a list of items purchased, personal preferences, and such. There seems to be a limit of 300 cookies per user; access of that limit causes older cookies to be droppped as the newer arrive. (Whalen, 1997; Gimon, 1997; Randall, 1997)) For the instigators of cookies, Netscape Corporation and others, a cookie allows the web surfer a service, a kind of recognition of who they are, or at least, what they have been about. Furthermore, cookies allow some flexibility: a second visit to a site after cookie placement would allow a new screen to be seen, a "what's new" message to appear relevant to the last visitation date, a list of shopping preferences, recognition of a password, or billing information, or some other customized service, just for that unique user, identified by the cookie. (Gimon, 1997; Randall, 1997)In addition, some companies, such as Flashnet, allow cookies, as they argue it prevents repetitive exposure to the same ads. (Flashnet, 1997) Sample cookies are available for Web Designers and other interested persons; take a look at Bill Dortch's work at hIdaho Designs (www.hidaho.com/cookies). Or simply to see a cookie in action, try out www.illuminatus.com/cookie.fcgi. (Be sure to watch the change in dollar amount after you reload.) Critics have arisen to challenge this benevolent view of cookies. An early concern centered around the idea of someone tampering with another person's hard drive. Today, few argue that this is a real issue. That is, these cookies cannot damage the machine or introduce viruses, since that are merely strings of text characters -- data that is placed, not executable files. More recently, the issue has been Interent privacy. Those concerned generally argue that this tracking by cookies is tracking by stealth -- perhaps not to the advanced degree of the fictional Profile Auditor, but stealth all the same. Only recently have many persons realized that cookies have been left for some time after their Web surfing. Many are the PC users who consult their Find File button and discover "cookie.txt" files, not of their own creation; Mac users can find a more whimsical "MagicCookie," but its presence marks the same intrusion by someone else into personal hard drive space. For cookie critics, these crumbs of data left behind are seeds of control, monitoring, or accusation. Those particularly bothered voice concerns about a government that might monitor political issue interest, an insurance company that considers time spent on cigarette sites and its effects on health insurance status, or some other sinister agent. (Gimon, 1997) Groups have formed to challenge these perceived threats, including the Electronic Privacy Information Center or the Center for Democracy and Technology. So far, there has been no real threat from such entities; however, there are corporations with extreme interest in cookies -- marketing firms. One of the more famous (or, notorious) is "doubleclick.net." DoubleClick claims no desire to violate privacy, stating "Internet user privacy is of paramount importance to DoubleClick, its advertisers and our affiliate Web sites." (DoubleClick, 1997) What DoubleClick (as well as Globaltrack, Focalink, and others) do admit is that they track Web site visitation, explaining their purpose is "to track ad exposure." DoubleClick wishes to avoid users being "bombarded" by the same ad over and over. Plus, they point out, there are features available to avoid cookies. Here again, critics wade in to challenge this non-threatening version of the cookie. In particular, the world-wide DoubleClick is the frequent target. One author has pointed out that in a DoubleClick Web page (now restricted from casual users), the management refers to cookies being so successful because they are "transparent," that is not easily visible to a Web surfer. And DoubleClick offers not just protection from being "bombarded" but they are assembling databases on users, or at least the computer that is visiting a site with cookies. The information from that database is available to subscibers, not just the particulars from one visit. Besides that, cookies are often planted in surprising spots, like the Alta Vista browser, quite independent of a particular site to be visited. All this sets up the cookie corporations for charges of deception, if not deception itself. (Gimon, 1997, CookieCentral, 1997) So what are the real issues then? If "A COOKIE CANNOT READ YOUR HARD DRIVE TO FIND OUT WHO YOU ARE, WHAT YOUR INCOME IS, OR WHERE YOU LIVE," then what is the problem? (Whalen, 1997) The issue it seems is the uncertainty and the perception of the violation of privacy rights. Certainly one cookie will not hurt a person, but what can a steady diet do? Certainly there are databases being created out of cookie data and data forwarded by users on their own volition. To check what is quickly available about you or your searching computer, try a visit to the Center for Democracy and Technology at www.13x.com/cgi-bin/cdt/snoop.pl for their service "Who's watching you and what are you telling them?" The information is small but a start from only one visit; imagine what repeated visits might creat, plus add the accumulation of information from visits to other locations. Even if this is merely a potential privacy violation currently, if you are concerned, what can be done? Well, first nothing is an option. You may be an open book to the world. Or, you may simply desire to reject offered cookies, when asked by your browser. (However, this can become tedious when you are asked a dozen times before you can enter some solitary locations.) Yet, this remains a user initiated action; users must "opt out" rather than beings asked for permission in many cases. Yet, others are supporting efforts for some kind of protocol for Intenet privacy that would include some cookie-curbing. (Glave, 1997) So is more aggressive action possible? Yes. There is a wide range of options. Some have suggested creating you own "cookies.txt" file that is read only, thus preventing any more cookies from being added. Others suggest the option of using one of the "anonymizers:" sites that allow a user to surf the Internet with a provided identity from the anonymous server rather than a home machine. And recently, various vendors have offered anti-cookie programs, either as shareware (for example, http://home1.gte.net/ dsavrnoc/cookie.htm) or purchase (such as Cookie Pal from www.kburra.com/cpal.html). My favorite suggestion is from those who urge sensible caution. Remember, the cookie can only record whatever a user allows. That is, it records registration material, submitted names and addresses, and credit card information. (Whalen, 1997) Do as little of that as possible, or none of that if possible. Give fake names and addressed, when required for a site; do not register software, but still abide by the license agreement; for some Web searches use a neutral machine from work or a university lab. And, of course, do not give out credit information without a thorough check. At this point in time, at least for my use, I do not believe there is that much to fear. Perhaps the shrill voices of fear are exaggerated, but they may draw enough attention that some protocols will be drafted. Yet, I am certainly not persuaded by the marketers that there is nothing to fear. Pre-caution, precaution is the key. References DoubleClick, HomePAge (On-line) www.doubleclick.net/nf/general/onpriset.htm Flashnet, "Cookie Information" (On-line) www.flash.net/cookies.htm Gimon, Charles A. "How the cookie crumbles" TwinCities InfoNation. (On-line) www.info-nation.com/cookie,html Glave, James, "Complete Cleanup" (On-line) www8.zdnet.com/pcmag/features/cookie/ckr1.htm Kookaburra Software, "What is cookie pal?" (On-line) www.kburra.com/cpal.html Randall, Neil, "Cookie Managers" Wired (On-line) www.wired.com/news/technology/story/2196.html Richter, Mark and Savrnoch, Dave, "The Cookie Cruncher" (On-line) www.home1.gte.net/dsavrnoc/cookie.htm Stephenson, Neil, "Spew" (On-line) www.pha.jhu.edu/~danforth/arc/Neil_Stephenson-Spew.txt Whalen, Dave, "Cookie FAQ" (On-line) www.cookiecentral.com/unofficial_cookie_faq.htm (See related sites /cookie5.htm; /mim03.htm; /c-virus.htm; /dsm.htm; /dscprop.htm)