For some time I've been hearing about dangerous  "cookies" on the Internet.  The only danger I've ever associated with cookies was the danger of unwanted pounds.   What are these "cookies" and who uses them and how? Where and when does one encounter them, and should I be concerned?

Dear CCC-

Cookies on the Internet are not to be confused with the tasty morsels that come from one's kitchen.  The cookies you find on the Internet are small text files that are stored on your hard disk by some Web servers. They help the servers identify users.  There are two types of cookies: those that reside in RAM (memory) and exist only during the time that the user visits a specific site or the browser remains open; and persistent cookies that have a specific expiration date and reside on your hard disk until that date.  You can easily find the persistent cookies on your computer by using the "Find" function in either Windows or Macintosh computers to search for the word "cookie."  

Cookies have an evil reputation primarily because browsers accept cookies, store them, and send information back to the server that placed the cookie--without the knowledge of the user (unless the browser is configured to notify the user about cookies).  A persistent cookie usually contains the domain name of the server that sent the cookie, an expiration date, whether or not the information sent back and forth will be secure (encrypted), and any information the Web designer chooses to store.  Some concerns about cookies are justified.  However, cookies cannot obtain and send detailed personal information unless you provide that information by completing a form or using a service provided by the Web site that served you the cookie. Cookies cannot damage files or systems on computers, and only the server that originally sent the cookie can retrieve it.

Cookies were not developed to help "Big Brother" monitor you; they were developed to make Web sites more friendly and responsive.  Cookies are frequently used to set preferences for regular customers at Web sites.  For example, sites that sell items often store the customer's "shopping basket" in a cookie that resides on the customer's computer. Sites that ask a user to set a password store that password in a cookie on the user's computer so the user can be automatically logged in the next time she/he visits the site.  Sites like MyYahoo or MyNetscape make use of cookies to tailor pages to the user's particular interests. In some respects, cookies can actually enhance security and privacy by letting servers store the user's personal information on the user's computer where that specific server can access the information when needed.

The real problem with cookies is not so much that they are placed on your computer without your knowledge.  Of bigger concern is how the information collected by the cookie (assuming you provide the cookie with additional information) is going to be used by Web administrators at the other end.  Do they simply use that information to customize their Web pages for you, or do they sell that information to third parties--perhaps other companies who would be interested in knowing your interests so they can target their marketing at you?  

There are a number of marketing companies who are in the "ad tracking" business, such as DoubleClick <http://www.doubleclick.com>, Focalink <http://www.focalink.com>, GlobalTrack, and ADSmart.  One activity of ad trackers is to display ads that target the interests of an individual surfer, based on information the server is able to glean from what has been collected and stored in the cookie.  For example, lets say a visit to the Alta Vista Search engine will result in a cookie from Acme AdTracker being placed on a user's computer.  If the user searches for the topic, "aircraft sales," that information could be stored in the cookie.  If, at some time in the future, the same user goes to another site where Acme AdTracker's services are used, the cookie is sent to the Acme AdTracker server, where the server realizes who the user is and that the user appears to have an interest in aircraft sales.  So the server at Acme AdTracker sees to it that an ad for aircraft products is displayed. Additionally, if the user does anything at this new Web site that might enhance the profile that Acme AdTracker is building about this user, that information will be added to the cookie for future reference at any Web site where Acme AdTracker is providing advertising services.

In February 1997, Kristol and Montulli proposed a different set of standards for the implementation of cookies.  If this standard were implemented, among other things, individual users would be able to specify to their browsers the kinds of cookies they are willing to accept.  At this writing, however, this standard is still only a proposal.

Worried about cookies and privacy?  Remember that when you go to any Web site, some information is always collected (the IP address, for example).  This is part of the HTTP protocol that makes the retrieval of Web pages from different servers possible.  Still worried?  If you want to "toss" your cookies, here are some suggestions:
 

1. Use the "Find File" command on your computer, find your cookies file, and delete the cookies that you don't want.  However, be warned. This action could cause some problems when you go to sites that need the cookie you've tossed.  (See the Unofficial Cookie FAQ.)
2. Set the preferences in your browser to alert you to incoming cookies or to refuse to accept a cookie.  However, some sites are inaccessible if you do not accept their cookies. (Again, see the Unofficial Cookie FAQ.)
3. Surf through a server that will give your computer anonymity, <http://www.anonymizer.com>.  However, unless you become a subscriber, this can be very slow surfing. 
4. Obtain "cookie manager," software to allow you to manage the cookies on your computer more efficiently and to edit the cookie files. (See Randall Neil's article "Cookie Managers.")

For more information:

Beaven, Colin.  "They're Watching You:  Internet Advertising Tracking Companies."  Esquire (August 1997): 104-105.

Bott, Ed.  "C is For Cookie."  PC/Computing (July 1997): 324.

Brook, Robert.  "Robert Brook's Cookie Taste Test."  <http://www.geocities.com/SoHo/4535/cookie.html>

Cookie Central. <http://www.cookiecentral.com>

Dern, Daniel.  "Footprints and Fingerprints in Cyberspace:  The Trail You Leave Behind."  Online (July 17, 1998): 44-48.

Kenworthy, Karen.  "Cookie Crumbs--There's No Reason to Keep the Ingredients of Your Browser Cookies Secret."  WINDOWS Magazine (September 1, 1998):  205+.

Kristol, David and L. Montulli.  "RFC #2109:  HTTP State Management System."   <http://info.internet.isi.edu:80/in-notes/rfc/files/rfc2109.txt>

Mayer-Schonberger, Viktor.  "The Internet and Privacy Legislation: Cookies for a Treat?"  West Virginia Journal of Law and Technology   (March 17, 1997).   <http://www.wvjolt.wvu.edu/wvjolt/current/issue1/articles/mayer/mayer.htm>

Neil, Randall.  "Cookie Managers."  PC Magazine (September 9, 1997): 159-163. <http://www.zdnet.com/pcmag/features/cookie/_open.htm>

Neil, Randall.  "The New Cookie Monster."  _PC Magazine_ (April 22, 1997):  211-213. <http://www.zdnet.com/pcmag/issues/1608/pcmg0035.htm>

Slatalla, Michelle.  "Cookies May Annoy But They Don't Hurt."  New York Times (April 2, 1998): G11.

US Department of Energy Computer Incident Advisery Committee.  "CIAC Information Bulletin:  Internet Cookies."  
<http://www.ciac.org/ciac/bulletins/i-034.shtml>

"WebCrawler Help: Cookie FAQ." <http://webcrawler.com/Help/Cookies.html>

Whalen, David.  "The Unofficial Cookie FAQ."  <http://www.cookiecentral.com/unofficial_cookie_faq.html>