Cookies and "spyware"
are they or aren't they, that is the question

What is a cookie ?
Information gleaned from a variety of sources:

A cookie is what ? a text file, sent from a web server to a user's browser, which stores it. When you go to the same web server later, this server then reads back this information string to the server, and uses it to "recognize" the user.

A typical cookie looks like this.

Others are more complex, others even simpler, but all this says, is I visted X site and all the numbers are referances back to the host and time.

This string of characters, has a maximum size of 4 KB, which cannot contain executable code. A cookie contains information such as the requested URL, the expire date of the cookie and user content, such as ID numbers, normally assigned by the website itself, as you can above.

There are"persistent" and "session" cookies. Persistent cookies remain valid for X period of time specified by the web server ( example: keeping your shopping cart information for X time is a common use ), session cookies are trashed as soon as the session ends, which usually occurs when the browser is closed down. A good example for the use of session cookies is online banking.

These are legitimate uses of cookies, in fact, in the case of most shopping carts, they don't work without them.

The problem with Cookies

Convenience Vs Risk

Cookies are always spy-ware in only one sense. They are used to track information and pass it back to the host server. Any average hit counter, is by this definition, spyware in that it tracks your movements and records them for the webmaster. This is useful and much needed information however, as it tells the webmaster what pages are viewed most and where the referral to that page came from. This is not personality identifiable, a hit counter, which is a tracker, which uses cookies to do it, just tells the webmaster that on X date, person X, ( identified by your IP number) visited the site and went here, there and over there and they came in from that way. End of report.

Here's how cookies work: Say you visit the X. com You buy a Y. The company downloads a text file to your computer, which includes an ID number they generated just for you. See example above.

A week later, you go back to the X site. First thing, your browser checks for is an X cookie. It finds it, and sends it to X's host computer.

When the X site opens, The X Co. has the information about the sale a week ago in its own database. It matches the ID number in the cookie to the sale information, and customizes the page to appeal to you , based on what they already know about you.

When you next make a purchase, you won't have to enter your credit-card number or address. That will already be filled in too. Again, that came from the database, and was enabled by the cookie. It is not ON the cookie. Consider this a moment, what is on the Cookie is an ID number that tells the host server you are a repeat customer and then it goes and fetches all the host server knows about you.. the cookie itself does not contain this information or should not.

3rd party cookies, the problem

3rd party Cookies are generated by companies that get paid to obtain as much information as possible about your viewing habits, preferences, computer settings. "Any cookie that is shared among two or more web pages for the purpose of tracking a user's surfing history is considered by most people to be an invasion of privacy.". This is the case with most advertising banners that try to issue cookies.

Are cookies spyware? No not really
They do not install trojan horses or malicious code. They do not monitor keystrokes or steal your credit card numbers. The only way a site gets that info, is if you give it to them.

Can Cookies be Abused? Yes 

Some developers have been known to use cookies to gather information without the surfer's knowledge, and this is where the problem comes in. Perhaps this is one reason behind why they have been tagged as “spyware”.

What Should You Do? 

Most importantly do not automatically assume that just because your spyware program finds cookies, they are always bad. Cookies will almost always be found on your machine during a "scan" because they are used by almost every web developer.

Developers of anti-spyware software -- tend to be aggressive in applying the term "spyware" and listing the supposed spyware on your computer. For example, the software may scan your computer and report hundreds of spyware infections, frist time I did this it was called.. WHAT? I can't have that many spys! . Many legitimate anti-spyware tools detect and display cookies, but they are looking for a particular kind of cookie.. this kind

Tracking cookies called data miners. Say you visit the X site. There's a banner ad there. It is linked to an advertising services company. It downloads a cookie. The cookie says, "This person visited X."

Next, you go to Y site. The banner ad there is associated with the same advertising company. The browser sends the cookie to the banner ad. The ad adds a notation that you visited the Y site. Over time, the tracking cookie builds a profile of your interests. The advertising services company sells this information. That's why you start getting advertising for X and Y.

The same technique that allows to recognize you each time you visit, also may permit marketing agencies to track your web-browsing habits.

Cookies can be hi jacked, to where companies get the click someone else paid for. Lots of issues, where there is a will there is a way however...

For the most part, 1st party cookies, that are from the site your viewing, likely are legitimate, 3rd party cookies, often are not and it's simple to block those entirely in your browser options.. or reject them and after a short while you will have a pretty good "log" file of refused cookies and their vendors.

If you ever want to get an idea of just how many of these things there are.. just set your browser options to tell you about every cookie your offered, and get prepared to be driven half insane by all the pop ups asking permission, with almost any site you visit asking you to install a cookie, you wil find them in your emails even.

The procedure in Internet Explorer 5  and up. To prevent automatic placement of cookies, select Options from the Tools menu. Select the Advanced tab..Check the Warn or Prompt, before accepting 'cookies' box in the Warnings section. Below are your options.

Accept all cookies.
Prompt before accepting cookies.
Disable all cookie use.

I will warn you, that you will not be able to tolerate this for long.. but it will give you a very good idea of whose hitting you with what and why, with it set in this fashion you will be able to track the tracker and see just what cookies are attempted and what they are and make an informed choice about accept or not.. once you have a good idea, then I suggest re setting it to accept 1st party cookies and auto deny any 3rd party cookies, just to save your sanity.

Now the best sites the only ones you will find are for their hit counter or some other legitimate use, but if there are ad banners everywhere, count on it there will be requests for 3rd party cookies that are not related to the site at all. If you allow these is up to you, but blocking all cookies entirely is not really a good option as it means you lose all of the "good" cookies as well.. so take back control over the machine, clean out the cookie jar on a regular basis and do a site by site override to allow cookies only on sites that the cookie is to your benefit.. not some third party whose just out to see what ads they can fill up the page with.

More soon

Return to how to design a website