IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled



The Cookie Monster: The Risks Of Internet Cookies and Aggregate Data

by Peter V. Radatti
CyberSoft, Inc.

Copyright January 1998 by Peter V. Radatti. All Rights Reserved.

Internet cookies as a computer technology sound safe, slightly boring and maybe even tasty. This paper will attempt to demonstrate that Internet cookies are actually mud pies with a good deal less safety and tastiness than you would have eating mud. First, you need to understand what an Internet Cookie is. If you remember old cowboy movies, there was always a scene where cows were being branded. An Internet Cookie is the same thing except that it is you that is being branded. If you are using Netscape, the browser arrives on your computer with a default of accepting cookies silently. That is, you never feel or even know that someone just smoked your hide. As a matter of good security policy I turned silent acceptance of cookies off. There is no option to turn off acceptance completely, so every time a cookie request is made to my browser, a pop-up message window appears. The message window gives me the option of accepting the cookie and being branded or canceling the cookie. Since most people don’t know what a cookie is, don’t understand that there are any security issues in accepting them and may, in fact, be afraid of breaking something by pressing the button labeled "cancel", it is safe to assume that most people accept cookies. In fact, they would never even know that they were being "cookied" unless they chanced to stumble upon the button that disables automatic acceptance.
I feel safe in the given assumption that most people are accepting cookies. So what is the big danger? The military knows. As long as there has been warfare, militaries have been concerned by something called aggregate data. Aggregate data may be as simple as counting the number of cars that enter the gates at a military reserve. If there is someone counting the number of cars entering a few dozen reserves across the country over a period of time, then anyone who has access to the data from all of the reserves could in fact predict a major military engagement about to start. Simply put, if the number of cars entering all of the reserves demonstrates a sudden jump across the country and the people who entered didn’t leave, then conclusion is simple. They are about to go somewhere else, en masse. The same type of analysis can be done with your movements. There are now large networks of Internet cookie data collection companies who keep track of where you are, where you came from, where you went to, and the kind of computer, browser and operating system you are using. In fact, they can also get your IP address, system name and, if configured, your name, company name and email address. That is a lot of information about you in a single gulp, but it is by no means the end. At some point, you will come across a form or you will order something over the Internet. Suddenly, your real name, home address, telephone number, credit card number and anything else you tell them about yourself is now available to connect with your cookie. The interesting thing is that if the company keeps all your old cookie information, they can track your past, present and future movements. This could be dangerous if you accidentally end up at an embarrassing web site.
So why does anyone try to brand you with cookies? The reason is simple-- effective advertising. In fact, I feel that advertising is a useful thing since it helps me find things that I want to buy. The problem, however, is that a billboard doesn’t know who is looking at it but a computer does. If I were a member of a vegetarian household and suddenly started receiving email, banner advertisements, postal mail and phone calls from meat producers, this could be a real problem, not to mention an unnecessary irritant. Say that, at sometime in the past, I might have bought a book from an on-line bookstore. I already had a cookie, so a relationship now exists between myself as a person and my cookie. The cookie is issued every time I enter one of the cookie networks and they target advertising to me based upon my movements. Very quickly they know more about me than I do. As a test, I turned cookies on for a while and started looking for travel information at the Alta Vista search engine, which is part of a cookie gathering network, as is the web site devoted to the Dilbert cartoon strip and many other sites. As soon as I did my first search on "airfare to Boston", I was presented with advertisements for travel agents. When I traveled to other cookie affiliated sites I received more travel related advertisements. This may sound fine, but think about the implications. If I browsed several financially-oriented sites, I might start receiving unsolicited and unwelcome attention from sleazy stock brokers. If I searched for medical information on the web, I don’t want anyone to know what my problems are. Simply put, it's none of their business. If my doctor or stock broker shared that type of information about me, I would have them in front of their respective state boards for unsavory behavior. The fact of the matter is that a cookie tracker could learn my medical problems, hobbies, financial interests and a whole lot more, depending upon what I did on the Internet. This is an invasion of privacy but, believe it or not, quite legal. 
O.K., so you shut off automatic silent acceptance of cookies and just press the cancel button. It would appear that the cookie monsters have already thought of that. They've gotten pushy and rude. There are now many sites that enforce cookie branding by plastering you with literally dozens of cookie requests per page. Some of them plastered me with so many cookie requests per page that I lost count after 20. The message windows appear faster than I can cancel them, get in the way of what I am trying to do, and waste my time. How rude! Department stores don’t keep me out just because I refuse their "free" credit card and gift at the door. I don’t mind one cookie request because I have the option of saying no, but receiving dozens of "requests" feels a bit like getting mugged.  So how can you deal with cookies? Actually it’s easy. Turn on silent acceptance of cookies. Enter the ".netscape" directory and delete the file named "COOKIE". There are all kinds of dire warning not to edit or delete the file but I've done it anyway with no ill effects. Unfortunately, Netscape keeps recreating the cookie file, so I have to keep deleting it. On the UNIX computer that I use to browse the web I could put the "rm/export/home/radatti/.netscape/COOKIE" in my ".login" and ".logout" files, but I found a better way. From your home directory, enter the ".netscape" directory. Remove the COOKIE file and put in a logical line to "/dev/null" (ln -s /dev/null COOKIE). As fast as the web browser creates new cookies, the UNIX system throws them away. It works great. I no longer get bothered with pop-up windows and I clog the cookie monster with hundreds of fake identities per day. In fact, as far as the cookie trackers are concerned, they must thinkthat 80 different people visit each page without bothering to finish downloading the page. Besides not being able to target me for advertising or gather any type of history or aggregate data on me, this has got to really hurt their statistics. But don’t feel bad for them. They pushed me to be clever, took their chances and lost. I almost look forward to their next move. 
In conclusion, cookies are only one way for people to gather aggregate data on you while you're on the Internet. Cookies are not restricted to Netscape--Microsoft Explorer and other programs also process Internet cookies. Remember, your Internet service provider can gather all of this information and more about you without using cookies. It's a dangerous world, so be careful!

Copyright 1998 CyberSoft, Inc.