The Cookie Monster: The Risks
Of Internet Cookies and Aggregate Data
Peter V. Radatti
Copyright © January 1998 by
Peter V. Radatti. All Rights Reserved.
Internet cookies as a computer
technology sound safe, slightly boring and maybe even tasty. This paper
will attempt to demonstrate that Internet cookies are actually mud pies
with a good deal less safety and tastiness than you would have eating mud.
First, you need to understand what an Internet Cookie is. If you remember
old cowboy movies, there was always a scene where cows were being branded.
An Internet Cookie is the same thing except that it is you that is
being branded. If you are using Netscape, the browser arrives on your computer
with a default of accepting cookies silently. That is, you never feel or
even know that someone just smoked your hide. As a matter of good security
policy I turned silent acceptance of cookies off. There is no option to
turn off acceptance completely, so every time a cookie request is made to
my browser, a pop-up message window appears. The message window gives me
the option of accepting the cookie and being branded or canceling the cookie.
Since most people don’t know what a cookie is, don’t understand that there
are any security issues in accepting them and may, in fact, be afraid of
breaking something by pressing the button labeled "cancel", it
is safe to assume that most people accept cookies. In fact, they would never
even know that they were being "cookied" unless they chanced to
stumble upon the button that disables automatic acceptance.
feel safe in the given assumption that most people are accepting cookies.
So what is the big danger? The military knows. As long as there has been
warfare, militaries have been concerned by something called aggregate data.
Aggregate data may be as simple as counting the number of cars that enter
the gates at a military reserve. If there is someone counting the number
of cars entering a few dozen reserves across the country over a period of
time, then anyone who has access to the data from all of the reserves could
in fact predict a major military engagement about to start. Simply put,
if the number of cars entering all of the reserves demonstrates a sudden
jump across the country and the people who entered didn’t leave, then conclusion
is simple. They are about to go somewhere else, en masse. The same type
of analysis can be done with your movements. There are now large networks
of Internet cookie data collection companies who keep track of where you
are, where you came from, where you went to, and the kind of computer, browser
and operating system you are using. In fact, they can also get your IP address,
system name and, if configured, your name, company name and email address.
That is a lot of information about you in a single gulp, but it is by no
means the end. At some point, you will come across a form or you will order
something over the Internet. Suddenly, your real name, home address, telephone
number, credit card number and anything else you tell them about yourself
is now available to connect with your cookie. The interesting thing is that
if the company keeps all your old cookie information, they can track your
past, present and future movements. This could be dangerous if you accidentally
end up at an embarrassing web site.
why does anyone try to brand you with cookies? The reason is simple-- effective
advertising. In fact, I feel that advertising is a useful thing since it
helps me find things that I want to buy. The problem, however, is that a
billboard doesn’t know who is looking at it but a computer does. If I were
a member of a vegetarian household and suddenly started receiving email,
banner advertisements, postal mail and phone calls from meat producers,
this could be a real problem, not to mention an unnecessary irritant. Say
that, at sometime in the past, I might have bought a book from an on-line
bookstore. I already had a cookie, so a relationship now exists between
myself as a person and my cookie. The cookie is issued every time I enter
one of the cookie networks and they target advertising to me based upon
my movements. Very quickly they know more about me than I do. As a test,
I turned cookies on for a while and started looking for travel information
at the Alta Vista search engine, which is part of a cookie gathering network,
as is the web site devoted to the Dilbert cartoon strip and many other sites.
As soon as I did my first search on "airfare to Boston", I was
presented with advertisements for travel agents. When I traveled to other
cookie affiliated sites I received more travel related advertisements.
This may sound fine, but think about the implications. If I browsed several
financially-oriented sites, I might start receiving unsolicited and unwelcome
attention from sleazy stock brokers. If I searched for medical information
on the web, I don’t want anyone to know what my problems are. Simply put,
it's none of their business. If my doctor or stock broker shared that type
of information about me, I would have them in front of their respective
state boards for unsavory behavior. The fact of the matter is that a cookie
tracker could learn my medical problems, hobbies, financial interests and
a whole lot more, depending upon what I did on the Internet. This is an
invasion of privacy but, believe it or not, quite legal.
so you shut off automatic silent acceptance of cookies and just press the
cancel button. It would appear that the cookie monsters have already thought
of that. They've gotten pushy and rude. There are now many sites that enforce
cookie branding by plastering you with literally dozens of cookie
requests per page. Some of them plastered me with so many cookie requests
per page that I lost count after 20. The message windows appear faster than
I can cancel them, get in the way of what I am trying to do, and waste my
time. How rude! Department stores don’t keep me out just because I refuse
their "free" credit card and gift at the door. I don’t mind one
cookie request because I have the option of saying no, but receiving dozens
of "requests" feels a bit like getting mugged.
how can you deal with cookies? Actually it’s easy. Turn on silent acceptance
of cookies. Enter the ".netscape" directory and delete the file
named "COOKIE". There are all kinds of dire warning not to edit
or delete the file but I've done it anyway with no ill effects. Unfortunately,
Netscape keeps recreating the cookie file, so I have to keep deleting it.
On the UNIX computer that I use to browse the web I could put the "rm/export/home/radatti/.netscape/COOKIE"
in my ".login" and ".logout" files, but I found a better
way. From your home directory, enter the ".netscape" directory.
Remove the COOKIE file and put in a logical line to "/dev/null"
(ln -s /dev/null COOKIE). As fast as the web browser creates new cookies,
the UNIX system throws them away. It works great. I no longer get bothered
with pop-up windows and I clog the cookie monster with hundreds of fake
identities per day. In fact, as far as the cookie trackers are concerned,
they must thinkthat 80 different people visit each page without bothering
to finish downloading the page. Besides not being able to target me for
advertising or gather any type of history or aggregate data on me, this
has got to really hurt their statistics. But don’t feel bad for them. They
pushed me to be clever, took their chances and lost. I almost look forward
to their next move.
conclusion, cookies are only one way for people to gather aggregate data
on you while you're on the Internet. Cookies are not restricted to Netscape--Microsoft
Explorer and other programs also process Internet cookies. Remember, your
Internet service provider can gather all of this information and more about
you without using cookies. It's a dangerous world, so be careful!
© 1998 CyberSoft, Inc.