Printer Friendly

Are cookies hazardous to your privacy? Cookies allow businesses to collect information about Internet users, but some question whether they are valuable records or unethical tracking mechanisms. (NetWise).

At the Core

This article:

* Defines cookies and their uses

* Poses questions about cookies and privacy

"Good morning, we have four new books that may interest you ..."

A moment ago you arrived at a Web site, and suddenly that Web site not only knows your name but your interests as well. You're impressed; they may make a sale. But how did they find out that you were visiting their Web site, and how did they learn what you were interested in?

Hidden inside virtually every Internet browser are tiny files that may allow others to invade a user's privacy. These files enable companies to track users' Internet surfing, record their online purchases, and greet them by name when they visit a Web site. They are "cookies."

A cookie is a piece of information passed between an Internet server and a user's Web browser. This information is used by the server to track the specific Web browser (and thus, the user) that is making a specific request of the server. Generally, this bit of information is a string of text. The text includes an identifier for the server leaving the cookie with the user and a unique identifier for the user (in some cases by name) or his or her computer.

Technically, cookies perform "HTTP State Management," described technically in documents RFC-2109 and RFC-2965 available from the Internet Engineering Task Force ( RFC (request for comments) documents are proposals for Internet standards that govern the various technical protocols used universally on the Internet. An additional proposal, RFC-2964, "Use of HTTP State Management," sets guidelines for appropriate use of cookies.

When the server answers the request and sends the cookie, it also often obtains some information about the user and his or her computer. For example, if the user has logged into the site, his or her login information (and whatever information he or she has associated with that login) can be (but typically is not) associated with the cookie identifier. At bare minimum, the Web server will be able to determine the user's Internet Protocol (IP) address, the type of Web browser being used, and the computer's operating system.

How and Why Do Web Sites Use Cookies?

There are many uses for cookies. A cookie may be used to track the "login" status of a user for both the current session and future sessions. This conveniently eliminates the need for the user to continually enter his or her name and password or other identifiers.

A Web site may use cookies to track the pages that have been visited on that site. This will enable the site's webmaster to determine how users navigate the site and which pages are most popular. This helps in reorganizing the site for better navigation or for highlighting pages that attract a lot of visits.

A Web site may use cookies to identify the habits of a particular user. In reality, the cookie is usually tracking the habits of a particular browser at a particular IP address and will only know who the user is if the user has provided that information to the site by logging in. But once the user has identified himself or herself to that site, it is entirely possible for the site to know the user's habits and interests.

A Web site engaged in electronic commerce or shopping will use cookies to help track a user's "shopping basket" as multiple items are added.

Avoiding Cookies

It is possible to avoid cookies while surfing the Internet. Unfortunately, avoiding cookies may prevent a user from accessing information or obtaining services. Most Internet browsers have a feature that allows the user to "turn off" cookies. In Netscape Navigator, the user should go to "Preferences," and then open the "Advanced" settings. In the "Advanced" window, the user has a number of choices. The user can elect to "Accept all cookies," "Accept only cookies that get sent back to the originating server," completely "Disable cookies," or "Warn me before accepting a cookie." In the last case, the user will get a message asking if he or she wants to accept a cookie whenever one is encountered. This can get annoying as cookies are found on virtually every site.

In Microsoft Internet Explorer, select Internet "Options," then open the "Security" tab. Selecting a "High" security level automatically turns cookies off. If a custom level of security is selected, choices depending upon the nature of the cookies are offered. If the cookies are "persistent" (the cookies are stored on the PC for a period of time), the user may select a choice of "Enable," "Disable," or "Prompt." Likewise, cookies that are session-specific (used only while the browser is open) have the same choices.

The major browser programmers have thus recognized that users should have control over cookies and their storage. In addition, there are a variety of software packages available that can assist in preventing and purging unwanted cookies.

Making Decisions About Privacy

A user should have the final say in what information becomes known about him or her. However, the widespread usage of cookies and the ways in which different organizations use the information have led to increased scrutiny from governmental bodies. Reuters recently reported that the European Parliament is proposing legislation that would prohibit the use of cookies without the "prior and explicit consent of users." The legislation is being opposed primarily on grounds that it would make using the Internet difficult.

In general, it is probably helpful to understand what information is being tracked about Internet use. Internet users should be aware of cookies and how particular Web sites use the information gathered. Users should further be aware when unrelated third parties gather information about them. This point is of particular concern.

Most Web sites today feature gaudy banner advertising, "pop-up," or "pop-under" advertising. These ads are placed by a variety of companies, and tracking demographics and "click throughs" is critical to their business model. Organizations paying for advertising on the Internet are paying for unique "clicks" on their ad.

Tracking the uniqueness of the viewers became the first job of cookies. What advertisers found, however, is that cookies also are a good way to gather demographic information--and target advertising to the user. Because advertising on the Internet is ubiquitous these days, it is not difficult for an advertising company to track the travels of a particular cookie. From that tracking, a profile can be built. From that profile, targeted advertising can be delivered to the user. If a user is seen to frequent Web sites about dogs, that user can be targeted with ads for dog food. If a cookie is seen frequenting travel-related sites, the user may be presented with advertising from airlines or online travel agencies. In most cases, however, the specific user behind the cookie is unknown and anonymous. It requires no giant step, however, to match the cookie to an individual once that individual shares his or her information with the advertiser or the advertising agency.

Records Management Issues

There has been some interesting discussion about whether cookies are records. Much of the controversy has resided in the public sector, most notably in Cookeville, Tennessee, the seat of Putnam County. The Putnam Pit (, an online newspaper, has been seeking to obtain the cookie files of the local government for a number of years, claiming that the cookie files are public records subject to the state's open records law. The debate has been fairly acrimonious and somewhat political in nature, but this issue raises an interesting point. A browser retains a lot of information about the sites that its user has visited. The browser will retain cookies, a history list, a bookmark, or favorites file, and a cache of the pages and images that were on the pages visited. These features serve a variety of purposes for the user, but they may also serve as a type of record of the organization.

If an organization has restrictions about the nature of Internet sites that an employee can visit, both the employee's browser records and the records of the company's Internet firewall and/or Internet proxy server could be called into evidence in an employee termination proceeding. Likewise, the various files could be used in other civil and criminal proceedings. Authenticating the actual user of the computer is another matter, although session-specific cookies generated by a unique login would tend to point to a single user.

The decision of whether or not to treat cookies and other browser files as records is ultimately that of the particular organization and its legal counsel. Because cookie files and other browser-related files can be easily deleted, and because there may be instances where the identity of the computer user cannot be ascertained, it is important that an organization has a clear understanding of how these files should be retained and what evidentiary value they will provide.

It is often difficult, however, to set and implement a retention policy for browser-related files. The retention of the browser cache is usually set by the user or determined by available space on the computer's hard drive. In addition, the user can delete cached files without using the browser's command set to do so. Similarly, the user can delete history files at will and often has the ability to delete selected cookies. At the same time, much of this information is dynamic. Cached pages and graphics are superceded by new pages, and the old pages are deleted. History is updated with each subsequent visit to the Web site. The retention of cookies is often determined by the site administrator, who sets the "expiration" date for the cookie, after which, the file is deleted.

Are Cookies Truly Hazardous?

There is some risk. However, if cookies can not be used at all on the Internet, some other mechanism will need to be devised to enable a Web site to keep track of logins and purchases. This may be a necessary evolutionary step, but it likely will not come unless forced given the prevalence of cookies on the Internet today. The status of cookies and related browser-based information as records is still under review. It will likely take court cases to set some sort of precedent in this arena, as well as to determine the evidentiary value of cookies and similar information.


* Cookies are a mechanism to track a specific browser session with a specific Web server.

* The use of cookies for other purposes and the possibility of associating a specific individual with a request to a Web server have caused some concern on the part of individuals and government bodies.

* Cookies lack clear status as public records and pose questions about whether they are evidentiary information.


"Use of Internet `Cookies' Targeted", 13 November 2001.

Galil, Yair. "The Cookie Monster Strikes Back!" Internet Law Journal, 3 June 2001.

Kaplan, Carl S. "Fighting to Make a City's Cookie Files Public." The New York Times, 18 December 1997.

Kristol, David M. HTTP Cookies: Standards, Privacy, and Politics. Murray Hill, NJ: Lucent Technologies, 2001.

Mayer-Schonberger, Viktor. The Internet and Privacy Legislation: Cookies for a Treat?. 1 W. Va. J. L. Tech. 1.1 (1997). Available at Mayer.htm (accessed 11 April 2002).

Meadows-Klue, Danny. "Crumbling Cookies Could Cook the Net." The Guardian, 26 November 2001.

Metz, Cade. "What They Know." PC Magazine, 13 November 2001.

St. Laurent, Simon. Cookies. New York: McGraw-Hill, 1998.

Warner, Bernhard. "Trade Group Rallies to Save Internet's `Cookie'.", 31 October 2001.

Whalen, David. "The Unofficial Cookie FAQ." Version 2.54. Available at (accessed 11 April 2002).

Patrick J. Cunningham, CRM, is Industry Leader, Information Management, at Hewitt Associates LLC in Lincolnshire, Illinois. He is responsible for Hewitt's global records and information management program. He may be reached at
COPYRIGHT 2002 Association of Records Managers & Administrators (ARMA)
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2002, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Author:Cunningham, Patrick J.
Publication:Information Management Journal
Geographic Code:1USA
Date:May 1, 2002
Previous Article:Privacy vs. cybersecurity: the advantages of doing business over the Internet are tremendous--but only if enterprises can ensure exchanging...
Next Article:Chief privacy officer: your next career? CPOs are a necessity in today's business environment, but no one envies their challenging role of upholding...

Related Articles
Who's zoomin' who on the Web? Internet privacy becomes a major issue for concerned cybernauts.
Tech Issues: revenge of the cookie monsters.
How secure is your computer anyway?
Are you being watched?
Whose Data Is It Anway?
Lawmakers tackle privacy.
Web Sites Grab More Than Cookies From Kids.
Under cover. (Privacy).
Safer surfing. (Up Front: news, trends & analysis).
E-mail and the law: how to manage privacy issues using the AICPA/CICA framework.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters