Cookies and Privacy

Cookies are pieces of information generated by a Web server and stored in the user's computer, ready for future access. They are embedded in the HTML information flowing back and forth between the user's computer and the servers, to allow user-side customization of Web information. Essentially, cookies make use of user-specific information transmitted by the Web server onto the user's computer so that the information might be available for later access by itself or other servers. In most cases, not only does the storage of personal information into a cookie go unnoticed, so does access to it. Web servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Web requests.

Cookies are based on a two-stage process. First the cookie is stored in the user's computer without her consent or knowledge. For example, with customizable Web search engines like My Yahoo!, a user selects categories of interest from the Web page, the Web server then creates a specific cookie, which is essentially a tagged string of text containing the user's preferences, and it transmits this cookie to the user's computer. The user's Web browser, if cookie-savvy, receives the cookie and stores it in a special file called a cookie list. This happens without any notification or user consent. As a result, personal information (in this case the user's category preferences) is formatted by the Web server, transmitted, and saved by the user's computer.

During the second stage, the cookie is clandestinely and automatically transferred from the user's machine to a Web server. Whenever a user directs her Web browser to display a certain Web page from the server, the browser will, without the user's knowledge, transmit the cookie containing personal information to the Web server.

Once the cookie is set, it will be freely accessible to Web servers. Whether or not the user consents to such access and not only to the setting of the cookie is a different question altogether. Once the cookie is stored (i.e. "set"), it resides in the user's computer. But for the Web browser, it is as easily available as information stored it . Even though the user consents to the setting of the cookie, she has a guaranteed right to access the personal information contained in the cookies.

The revised Internet draft on a new cookie standard describes a number of steps browser companies could take to reduce their liability. Browsers will have to be modified further, however, to avoid the cookie liability altogether.

The next version of Netscape's browser, the communicator Version 4.0, has reportedly been designed to take a number of the recommendations made in the cookie draft standard (RFC2109) into account.

Help might come from software utilities, however.  Phil Zimmerman, the acclaimed author of the encryption software of Pretty Good Privacy (PGP), has designed an add-on product for the popular Microsoft and Netscape browsers that permits users to manage and to ensure their privacy and confidentiality. "PGP Cookie cutter" and Cookie jar are tools to control which server can get your cookies.

More information about cookies and privacy:

•   IETF proposal - RFC 2109
•   More background on the IETF 2109
•   That is the way the cookie crumbles
•   Netscape users to watch cookie jar
•   Info on cookie cutter from PGP, Inc.
•   Netscape’s cookie specs
•   Cookie central