Considering all the hype that is published concerning cookies, it's no small wonder that many people are alarmed by them. Due to the amount of email we routinely receive with questions concerning these small files and the time spent in answering those emails, I decided that it would be easier to write a short article on them; so here we go.

Cookies, despite what some overzealous privacy oriented sites may say, are in and of themselves harmless. They are mere text files, and most of the time have no more information in them than a url or two, an expiration date, an ID number and whatever information you may supply while filling out a form or clicking on a link. The ID number is generated by the server that sets the cookie in your browser, and is unique.

Cookies can help website operators in keeping track of your preferences and to keep a certain continuity with you as you go from page to page within a site. For instance, some large sites, let's say one that sells books, may use a cookie with information as to your taste in literature. If you click on the computer science category, that preference can be put into your cookie, and the operator of a dynamic site can have things set up to show you all the possible links to PC related literature, and even to discard pages that are not in that category. But cookies can not be executed as code, nor can they deliver viruses.

If you want something to be a little more concerned about, check out the article on LSOs, more commonly called "Flash cookies".

The Real Culprits

Cookies themselves may be pretty benign, and much of the controversy surrounding them comes not from any danger the cookie itself presents, but rather from information that you may freely supply yourself. How? Read on.

Let's suppose you fill out a form; any type of form, from a simple web poll to clicking a checkbox for a city that you want to view a weather report about. If the web poll might be of a political nature, then the information you have given can be stored in a cookie and possibly mark you as liberal, conservative, or whatever. Clicking on a city for a weather report shows at the very least that you may have ties to that city, and that you probably live there. So, from these two choices the operator of the website has a good idea of your political preferences and where you may live. You can extrapolate the above and see how quickly a fairly accurate database can be built concerning you.

So what, you say? They don't know who you are? Well, don't be so sure about that! I mentioned above that the ID number you receive is generated by the server that sets it, and in theory that number is only supposed to be read by that same server. However, today there are a lot of different websites on the internet that are controlled by one parent company, and that unique ID number you got from one website may be added to the databases of all that company's websites, along with whatever information they have also gathered about you.

You may also use an IRC app like AIM or MSN Messenger or any of the other common varieties. Most people furnish quite a bit of information in order to be able to use these tools. Some are more careful and supply little or no personal information. Either way, the minimum that can be known is your ISP, your screen name, and almost anything you say or do while sending messages online. IRC, or "Chat" software is probably the least secure form of communication on the internet.

Cookies do not need to store any information at all about you; all that is needed is the ID number of the cookie that can be used to match your browser to a database with all of the derived information about you residing on their server. The real privacy problem here is with IRC software, ISP's and any instance where you are required to give information about yourself when you join a newsgroup, a forum, open an email account, or subscribe to a newsletter, etc.

If your IRC software is running when you visit a website, there is freely available server software called an "Identd" daemon (yes, spelling is correct) that can request and receive your identity when you click the link to a page. Also, many ISP's, especially the popular ones with three initials, use such daemons routinely.

Almost any server-side scripting language can pull the following pieces of information from your browser, to name just a few.

Traceroute and WHOIS ... and a host of other items.

You can easily see that while cookies are themselves benign things, they can be used to connect you and all infromation gathered about you to databases on servers, through information origionally gleaned from the use of IRC, forms, polls and server-side scripts. Many of these things cannot be prevented, but cookies most certainly can. The neat little app that I use for controlling cookies is aptly named Cookie Wall, and you can get a free copy of it Here.