Are cookies hazardous to your privacy? Cookies allow businesses to collect information about Internet users, but some question whether they are valuable records or unethical tracking mechanisms. (NetWise).

At the Core

This article:

* Defines cookies and their uses

* Poses questions about cookies and privacy

"Good morning, we have four new books that may interest you ..."

A moment ago you arrived at a Web site, and suddenly that Web site not only knows your name but your interests as well. You're impressed; they may make a sale. But how did they find out that you were visiting their Web site, and how did they learn what you were interested in?

Hidden inside virtually every Internet browser See Web browser. are tiny files that may allow others to invade a user's privacy. These files enable companies to track users' Internet surfing, record their online purchases, and greet them by name when they visit a Web site. They are "cookies."

A cookie is a piece of information passed between an Internet server and a user's Web browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. . This information is used by the server to track the specific Web browser (and thus, the user) that is making a specific request of the server. Generally, this bit of information is a string of text. The text includes an identifier for the server leaving the cookie with the user and a unique identifier With reference to a given (possibly implicit) set of objects, a unique identifier is any identifier which is guaranteed to be unique among all identifiers used for those objects and for a specific purpose. for the user (in some cases by name) or his or her computer.

Technically, cookies perform "HTTP HTTP
in full HyperText Transfer Protocol

Standard application-level protocol used for exchanging files on the World Wide Web. HTTP runs on top of the TCP/IP protocol. State Management," described technically in documents RFC-2109 and RFC-2965 available from the Internet Engineering Task Force (c/o Corporation for National Research Initiatives (CNRI), Reston, VA, www.ietf.org) Founded in 1986, the IETF is a non-membership, open, voluntary standards organization dedicated to identifying problems and opportunities in IP data networks and proposing technical solutions to the (www.ietf.org). RFC (Request For Comments) A document that describes the specifications for a recommended technology. Although the word "request" is in the title, if the specification is ratified, it becomes a standards document. (request for comments) documents are proposals for Internet standards See Internet Engineering Task Force. that govern the various technical protocols used universally on the Internet. An additional proposal, RFC-2964, "Use of HTTP State Management," sets guidelines for appropriate use of cookies.

When the server answers the request and sends the cookie, it also often obtains some information about the user and his or her computer. For example, if the user has logged into the site, his or her login information (and whatever information he or she has associated with that login) can be (but typically is not) associated with the cookie identifier. At bare minimum, the Web server will be able to determine the user's Internet Protocol See Internet and TCP/IP.

(networking) Internet Protocol - (IP) The network layer for the TCP/IP protocol suite widely used on Ethernet networks, defined in STD 5, RFC 791. IP is a connectionless, best-effort packet switching protocol. (IP) address, the type of Web browser being used, and the computer's operating system operating system (OS)

Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. .

How and Why Do Web Sites Use Cookies?

There are many uses for cookies. A cookie may be used to track the "login" status of a user for both the current session and future sessions. This conveniently eliminates the need for the user to continually enter his or her name and password or other identifiers.

A Web site may use cookies to track the pages that have been visited on that site. This will enable the site's webmaster to determine how users navigate the site and which pages are most popular. This helps in reorganizing the site for better navigation or for highlighting pages that attract a lot of visits.

A Web site may use cookies to identify the habits of a particular user. In reality, the cookie is usually tracking the habits of a particular browser at a particular IP address and will only know who the user is if the user has provided that information to the site by logging in A colloquial term for the process of making the initial record of the names of individuals who have been brought to the police station upon their arrest.

The process of logging in is also called booking. . But once the user has identified himself or herself to that site, it is entirely possible for the site to know the user's habits and interests.

A Web site engaged in electronic commerce or shopping will use cookies to help track a user's "shopping basket" as multiple items are added.

Avoiding Cookies

It is possible to avoid cookies while surfing the Internet. Unfortunately, avoiding cookies may prevent a user from accessing information or obtaining services. Most Internet browsers have a feature that allows the user to "turn off" cookies. In Netscape Navigator An earlier Web browser for Windows, Macintosh and X Windows from Netscape that provided secure transmission over the Internet. Soon after its introduction in 1994, Navigator, or just "Netscape," as it was commonly called, quickly became the leading browser on the Web. , the user should go to "Preferences," and then open the "Advanced" settings. In the "Advanced" window, the user has a number of choices. The user can elect to "Accept all cookies," "Accept only cookies that get sent back to the originating server," completely "Disable cookies," or "Warn me before accepting a cookie." In the last case, the user will get a message asking if he or she wants to accept a cookie whenever one is encountered. This can get annoying as cookies are found on virtually every site.

In Microsoft Internet Explorer See Internet Explorer. , select Internet "Options," then open the "Security" tab. Selecting a "High" security level automatically turns cookies off. If a custom level of security is selected, choices depending upon the nature of the cookies are offered. If the cookies are "persistent" (the cookies are stored on the PC for a period of time), the user may select a choice of "Enable," "Disable," or "Prompt." Likewise, cookies that are session-specific (used only while the browser is open) have the same choices.

The major browser programmers have thus recognized that users should have control over cookies and their storage. In addition, there are a variety of software packages available that can assist in preventing and purging unwanted cookies.

Making Decisions About Privacy

A user should have the final say in what information becomes known about him or her. However, the widespread usage of cookies and the ways in which different organizations use the information have led to increased scrutiny from governmental bodies. Reuters recently reported that the European Parliament European Parliament, a branch of the governing body of the European Union (EU). It convenes on a monthly basis in Strasbourg, France; most meetings of the separate parliamentary committees are held in Brussels, Belgium, and its Secretariat is located in Luxembourg. is proposing legislation that would prohibit the use of cookies without the "prior and explicit consent of users." The legislation is being opposed primarily on grounds that it would make using the Internet difficult.

In general, it is probably helpful to understand what information is being tracked about Internet use. Internet users should be aware of cookies and how particular Web sites use the information gathered. Users should further be aware when unrelated third parties gather information about them. This point is of particular concern.

Most Web sites today feature gaudy banner advertising Banner Advertising

A common form of advertising on the internet. The banner is an advertisement of 460x68 pixels, usually placed at the top of the page

Notes:
For an example, just look at the top of a page on almost any popular web site. , "pop-up," or "pop-under" advertising. These ads are placed by a variety of companies, and tracking demographics and "click throughs" is critical to their business model. Organizations paying for advertising on the Internet are paying for unique "clicks" on their ad.

Tracking the uniqueness of the viewers became the first job of cookies. What advertisers found, however, is that cookies also are a good way to gather demographic information--and target advertising to the user. Because advertising on the Internet is ubiquitous these days, it is not difficult for an advertising company to track the travels of a particular cookie. From that tracking, a profile can be built. From that profile, targeted advertising can be delivered to the user. If a user is seen to frequent Web sites about dogs, that user can be targeted with ads for dog food. If a cookie is seen frequenting travel-related sites, the user may be presented with advertising from airlines or online travel agencies. In most cases, however, the specific user behind the cookie is unknown and anonymous. It requires no giant step, however, to match the cookie to an individual once that individual shares his or her information with the advertiser or the advertising agency.

Records Management Issues

There has been some interesting discussion about whether cookies are records. Much of the controversy has resided in the public sector, most notably in Cookeville, Tennessee Cookeville is a city in Putnam County, Tennessee, United States. The population was 23,923 at the 2000 census. The 2004 Census estimate of Cookeville's population is 27,648, and the combined total of those living in Cookeville's ZIP codes in 2000 is 55,448. , the seat of Putnam County Putnam County is the name of 9 counties in the United States of America, many of which are named for Israel Putnam, who was a hero in the French and Indian War and a general in the American Revolutionary War:

Putnam County, Florida (Named for Benjamin A.

. The Putnam Pit (www.putnampit.com), an online newspaper, has been seeking to obtain the cookie files of the local government for a number of years, claiming that the cookie files are public records subject to the state's open records law. The debate has been fairly acrimonious and somewhat political in nature, but this issue raises an interesting point. A browser retains a lot of information about the sites that its user has visited. The browser will retain cookies, a history list, a bookmark A stored location for quick retrieval at a later date. Web browsers provide bookmarks that contain the addresses (URLs) of favorite sites. Most electronic references, large text databases and help systems provide bookmarks that mark a location users want to revisit in the future. , or favorites file, and a cache of the pages and images that were on the pages visited. These features serve a variety of purposes for the user, but they may also serve as a type of record of the organization.

If an organization has restrictions about the nature of Internet sites that an employee can visit, both the employee's browser records and the records of the company's Internet firewall A firewall that is used to shield users from the Internet. See firewall. and/or Internet proxy server Also called a "proxy," it is a computer system or router that breaks the connection between sender and receiver. Functioning as a relay between client and server, proxy servers are used to help prevent an attacker from invading the private network. could be called into evidence in an employee termination proceeding. Likewise, the various files could be used in other civil and criminal proceedings. Authenticating the actual user of the computer is another matter, although session-specific cookies generated by a unique login would tend to point to a single user.

The decision of whether or not to treat cookies and other browser files as records is ultimately that of the particular organization and its legal counsel. Because cookie files and other browser-related files can be easily deleted, and because there may be instances where the identity of the computer user cannot be ascertained, it is important that an organization has a clear understanding of how these files should be retained and what evidentiary value they will provide.

It is often difficult, however, to set and implement a retention policy for browser-related files. The retention of the browser cache Pronounced "browser cash." A temporary storage area in memory or on disk that holds the most recently downloaded Web pages. As you jump from Web page to Web page, caching those pages in memory lets you quickly go back to a page without having to download it from the Web again. is usually set by the user or determined by available space on the computer's hard drive. In addition, the user can delete cached files without using the browser's command set to do so. Similarly, the user can delete history files at will and often has the ability to delete selected cookies. At the same time, much of this information is dynamic. Cached pages and graphics are superceded by new pages, and the old pages are deleted. History is updated with each subsequent visit to the Web site. The retention of cookies is often determined by the site administrator, who sets the "expiration" date for the cookie, after which, the file is deleted.

Are Cookies Truly Hazardous?

There is some risk. However, if cookies can not be used at all on the Internet, some other mechanism will need to be devised to enable a Web site to keep track of logins and purchases. This may be a necessary evolutionary step, but it likely will not come unless forced given the prevalence of cookies on the Internet today. The status of cookies and related browser-based information as records is still under review. It will likely take court cases to set some sort of precedent in this arena, as well as to determine the evidentiary value of cookies and similar information.

cookies

* Cookies are a mechanism to track a specific browser session with a specific Web server.

* The use of cookies for other purposes and the possibility of associating a specific individual with a request to a Web server have caused some concern on the part of individuals and government bodies.

* Cookies lack clear status as public records and pose questions about whether they are evidentiary information.

References

"Use of Internet `Cookies' Targeted" Reuters.com, 13 November 2001.

Galil, Yair. "The Cookie Monster (recreation) cookie monster - (From the children's TV program "Sesame Street") Any of a family of early (1970s) hacks reported on TOPS-10, ITS, Multics and elsewhere that would lock up either the victim's terminal (on a time-sharing machine) or the console (on a batch mainframe), Strikes Back!" Internet Law Journal, 3 June 2001.

Kaplan, Carl S. "Fighting to Make a City's Cookie Files Public." The New York New York, state, United States
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of Times, 18 December 1997.

Kristol, David M. HTTP Cookies: Standards, Privacy, and Politics. Murray Hill Murray Hill may refer to one of the following places:

Murray Hill, Kentucky
Murray Hill, Manhattan, a residential neighborhood in New York City
Murray Hill, Queens, a different locality in New York City
Murray Hill, New Jersey
Murray Hill, Pennsylvania

, NJ: Lucent Technologies, 2001.

Mayer-Schonberger, Viktor. The Internet and Privacy Legislation: Cookies for a Treat?. 1 W. Va. J. L. Tech. 1.1 (1997). Available at www.wvu.edu/~wvjolt/Arch/Mayer/ Mayer.htm (accessed 11 April 2002).

Meadows-Klue, Danny. "Crumbling Cookies Could Cook the Net." The Guardian, 26 November 2001.

Metz, Cade. "What They Know." PC Magazine, 13 November 2001.

St. Laurent, Simon. Cookies. New York: McGraw-Hill, 1998.

Warner, Bernhard. "Trade Group Rallies to Save Internet's `Cookie'." Reuters.com, 31 October 2001.

Whalen, David. "The Unofficial Cookie FAQ (Frequently Asked Questions) A group of commonly asked questions about a subject along with the answers. Vendors often display them on their Web sites for use as troubleshooting guidelines. ." Version 2.54. Available at www.cookiecentral.com/faq (accessed 11 April 2002).

Patrick J. Cunningham, CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. , is Industry Leader, Information Management, at Hewitt Associates Some of the information in this article may not be verified by . It should be checked for inaccuracies and modified to cite reliable sources.

Hewitt Associates LLC (Logical Link Control) See "LANs" under data link protocol.

LLC - Logical Link Control in Lincolnshire, Illinois. He is responsible for Hewitt's global records and information management program. He may be reached at Pjcunnin@hewitt.com.

COPYRIGHT 2002 Association of Records Managers & Administrators (ARMA)
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Author:	Cunningham, Patrick J.
Publication:	Information Management Journal
Geographic Code:	1USA
Date:	May 1, 2002
Words:	1980
Previous Article:	Privacy vs. cybersecurity: the advantages of doing business over the Internet are tremendous--but only if enterprises can ensure exchanging...
Next Article:	Chief privacy officer: your next career? CPOs are a necessity in today's business environment, but no one envies their challenging role of upholding...
Topics:	Advertising services Cookie files (Computers) Usage E-commerce Safety and security measures Electronic commerce Safety and security measures False personation Prevention Impersonation (Fraud) Prevention Internet Safety and security measures Usage Internet security Marketing industry Ethical aspects Privacy Laws, regulations and rules Privacy, Right of Management Records (Documents) Political aspects Right of privacy Management Security systems industry Web browsers Design and construction Web sites Management Web sites (World Wide Web) Management

Related Articles
Who's zoomin' who on the Web? Internet privacy becomes a major issue for concerned cybernauts.(Tech Issues)
Tech Issues: revenge of the cookie monsters.(Internet privacy is protected by cookie software applications)(Techwatch)
How secure is your computer anyway?
Are you being watched?(government and organizations voice concerns over Internet privacy)
Whose Data Is It Anway?(Brief Article)
Lawmakers tackle privacy.
Web Sites Grab More Than Cookies From Kids.(privacy on Web sites targeting children)
Under cover. (Privacy).(Brief Article)(Statistical Data Included)
Safer surfing. (Up Front: news, trends & analysis).(Brief Article)
E-mail and the law: how to manage privacy issues using the AICPA/CICA framework.(Canadian Institute of Chartered Accountants)