What’s in Your Cookie Jar?

From the Nolo eCommerce Center

Some websites plant files – called cookies – on your computer to collect and store information about you and your behavior on the Net. Here’s what you can do about it.

Imagine that when you walk into a mall, someone straps a device to your arm that tracks your shopping habits and other vital information. Each store you enter uses the device to learn about your purchasing behavior – for example, what items you examined and rejected – and maybe even to obtain personal information about how old you are and where you live. Would you accept this sort of shopping experience? If you use the Internet, it’s a moot question; you already do.

Most online shops already use a tracking technology known as a “cookie.” This is computer slang for data that is stored on your hard disk so that a website will recognize you next time you arrive. You supply the information in each cookie – usually by completing a registration form at the commerce site. The site then sends this information back to your computer for storage and later retrieval.

Why do website developers bother with cookies? Because they allow websites – which usually do not maintain information about users – a way to greet you personally and save you from having to repeatedly provide basic information, such as your name, address and credit card number. For example, if Stan Jones visits Amazon.com, the fact that Amazon uses cookies makes it possible for the company to say, “Welcome Stan Jones, we have some recommendations for you!” And when Stan goes on to purchase the collected works of Marcel Proust, he can use Amazon.com’s 1-click ordering program, which reads the data stored in Stan’s computer so he doesn’t have to resubmit all that boring name and address information each time he orders. A cookie may even supply the site with credit card information in a secure encrypted transfer. And the information placed in a cookie is not only useful in the context of e-commerce. It can also enable you to receive a customized home page that, for example, supplies entertainment news, but not sports. Finally, cookies provide marketing information; they can track the ads you click on in order to provide you with similar banner ads in the future.

What’s in Your Cookies?

Cookies are not active software programs designed to accomplish defined tasks. Instead, each is a passive data structure (a text file similar to the text supplied in email) that can be read only by the site that created and planted it in your hard drive. Because they are not active programs, they cannot cause or carry viruses. If you want to see what information is stored in your cookie file, use a text editor or a word processor to open a file called cookies.txt or MagicCookie in your browser’s folder or directory. Or visithttp://www.cookiecentral.com/stopcm.htm, a Web page that allows you to view the contents of your cookie files.

What’s Wrong With Cookies?

If cookies are passive and assist in personalizing your Web experience, why do so many users object to them? Because the placement and retrieval of cookie information is too often used to track your behavior on the Web. For example, DoubleClick.com, the company that pioneered many promotional advertising schemes on the Web, has formed alliances across the Net that allow the company to track surfers’ personal data and shopping habits. Cookies provide DoubleClick with your IP address (a unique number assigned to every computer on the Internet), geographic location, company, type and size of organization, domain type (.com,.net,.org or.edu.), type of browser, operating system, service provider, and which pages you viewed when you visited a DoubleClick client’s site. For a complete explanation of what DoubleClick collects, view its privacy policy by going to http://www.doubleclick.com and clicking on “Privacy Policy.”

The tracking information that DoubleClick and others collect is merged with information voluntarily supplied by consumers to form profiles that are used to target advertising. At one point, prior to recent consumer uproar which resulted in DoubleClick scaling back its privacy invading priorities, DoubleClick was reportedly gathering more detailed information, including sales purchases, video rentals and even each search term used by a consumer on some popular search engines.

Consumer watchdog groups object to this compiling and use of personal data obtained by using cookies as tracking devices. Angry consumers in California have sued DoubleClick over its practices of obtaining and selling consumers’ private information without consent. Similar claims have also been filed against Amazon and other cookie collectors. In a lawsuit in Texas, one angry litigant sought protection from cookies using Texas’ anti-stalking laws. Consumer complaints have also spurred the Federal Trade Commission to investigate the privacy concerns arising from the use of cookies.

So far, no laws ban or limit the use of cookies when gathering information about adults. But Section 312 of the Children’s Online Privacy Protection Act (http://www.gseis.ucla.edu/iclp/coppa.htm) prohibits the use of cookies and other passive tracking devices for the purposes of collecting or maintaining personal information from a child unless parental consent has been given. In addition, Senator Robert Torricelli (D-N.J.) has announced he will propose a bill to regulate the use of personal information and Web cookies on the Internet. According to Torricelli, the bill would require websites to ask permission before using personal customer data, and would also require companies to disclose when they use cookies to track their website visitors elsewhere on the Internet.

Currently, cookie-using firms such as DoubleClick simply take in the data and require consumers to notify them if they don’t want it used. For example, to prevent DoubleClick from gathering information, you must go to their site and opt of both “email cookies” and “ad cookies.” The problem is that most consumers, who don’t fully understand the extent to which their privacy is at risk, don’t know how to opt out. That’s why many privacy groups favor legislation such as that proposed by Senator Torricelli, which requires sites to get consumer permission (or opt in) before collecting or using the data gathered by cookies.

How to Cut Your Cookies

If you want to be warned when you are about to receive a cookie, both Netscape and Internet Explorer (IE) can be programmed to notify you. In IE4 and Netscape, go to the View menu, Options, Advanced and tag and click on “warn before accepting cookies.” In IE5, you must go to Tools, Internet Options, Security, and then Click on “Custom Level.” Then click the appropriate choice under Cookies. If you’re bothered by the use of cookies,http://www.CookieCentral.com and http://www.Junkbusters.com describe how to disable them, but that requires some knowledge of file editing and management. In addition, it’s possible to turn cookie technology off on a site-by-site basis so that you can still safely use some sites without worrying about privacy concerns at others. To this end, both Cookie Central and Junkbusters offer software programs that allow you to control which sites can send you cookies.

If you want more information, the U.S. Department of Energy Computer Incident Advisory recently issued a report on the potential dangers of cookies.

Click here for related information and products from Nolo

© 2002 Nolo