Cookies & Privacy

Good Cookie or Bad Cookie?

By Ravi Pai Panandiker

November 21, 2002
IST 497E/Giles
Overview
 Introduction
 What is a Cookie? Basic Facts
 Cookies & Paranoia
 Getting Creative with Cookies
 Scope of Cookies
 Cookie Fixes
 Cookie Taxonomy
 Anatomy of a Cookie
 Working with Cookies: Code & Demo
 Cookie based Marketing
 Cookies, Privacy & Legislation
 Conclusion
What is a Cookie?
 Short pieces of text generated during
web activity and stored in the user’s
machine for future reference
 Instructions for reading and writing
cookies are coded by website authors
and executed by user browsers
 Developed for user convenience to
allow customization of sites without
need for repeating preferences
Cookie Facts
 Most Cookies store just 1 data value
 A Cookie may not exceed 4 Kb in size
 Browsers are preprogrammed to allow a
total of 300 Cookies, after which
automatic deletion based on expiry date
and usage
 Cookies have 3 key attributes: name,
value and expiry date
Cookies & Paranoia
 Why are Cookies notorious?
 Most Cookie activity is transparent to the user
 Most people do not understand what Cookies
can and cannot do
 People do not know how to protect
themselves from Cookies
 Valid reason: There are organizations out
there using Cookies to track your activities
(More later)
Darwinian Evolution: Getting
Creative with Cookies
 Basic cookie mechanism: Place a piece of
information, retrieve it for customization on
subsequent visits
 Functions available: read, write, delete
 Creative application1: Initialize a cookie called
counter to 1. Every time user visits, retrieve
counter, increment by 1 and re-write.
 Creative application2: When a user visits,
write system date/time in a cookie. Next visit
get cookie for last visit. Overwrite with current
date/time.
Cookie Scope: Cannot Do
 Have automatic access to personal
information like name, address, email
 Read or write data to hard disk
 Read or write information in cookies
placed by other sites
 Run programs on your computer
Cookie Scope: Can Do
 Store and manipulate any information
you explicitly provide to a site
 Track your interaction with parent site
such as pages visited, time of visits,
number of visits
 Use any information available to web
server including: IP address, Operating
System, Browser Type
Cookie Fixes: Getting in Control
 Turn up security level on your browser to
disable cookies or prompt for cookie
 Delete the content of a cookie and then write
protect it
 Use JavaScript command to display cookies
by current site/path:
JavaScript:alert(document.cookie)
 Use 3rd party software: Cookie Pal,
CookieMaster, CookieCrusher to monitor,
browse and edit cookies.
(Shareware/Freeware)
Cookie Types and Taxonomy
 By Lifespan
- Session Cookies (RAM)
- Persistent Cookies (Disk)
 By Read-Write Mechanism
- Server-Side Cookies (HTTP Header)
- Client-Side Cookies (JavaScript)
 By Structure
- Simple Cookies
- Array Cookies
Anatomy of a (Simple) Cookie
String of text with these 6 attributes:
 The domain and path for which the
cookie is valid
 The name of the cookie
 The value of the cookie
 The expiration date of the cookie
 Whether a secure connection needed
to use the cookie
Working with Cookies
 The domain and path are automatically
handled by the browser, script author has no
control
 For a given domain and path, a script may
create any number of cookies by specifying a
name, value and expiry date
 Each (simple) cookie is stored in a separate
text file in Temporary Internet Folder, but
tagged to a specific domain
 Cookies are handled by the browser as an
Object called document.cookie and
read/written using object dot notation
Cookie Code
 Cookies may be read/written by
server-side or client-side code
 Server-side Cookies are executed by
the web server and instructions included
in HTTP header for the page
 Server-side Cookie languages:
Perl/CGI, ASP/VBScript
 Client-side scripts: JavaScript
embedded in page HTML
A Typical Cookie Algorithm
Start:
On page load

Read Cookie

Is Write new Cookie.

Cookie Y Prompt for info if
empty? necessary.

N
Use Cookie info to
customize/login etc

Update Cookie Continue loading

page…
© Ravi Pai Panandiker
Cookie Code: JavaScript
 JavaScript code uses 3 standard functions
that are defined in the HTML <head> tag:
getCookie(cookieName)
setCookie(cookieName, value, expDate)
delCookie(cookieName)
 All Cookie manipulation is performed using
these 3 functions and regular algorithmic
constructs
 All functions are automatically performed on
the cookie object of that domain/path
Cookie Demo: JavaScript
 http://www.personal.psu.edu/ryp105/cookies
Cookie Based Marketing
 What is it?
User customized online advertising and
marketing system that uses Cookies
and databases to create, maintain and
utilize consumer profiles and monitor
their activity
Cookie based Marketing
 How does it work?
 Companies like DoubleClick.net,
adserver.com and adflow.com have
developed an innovative system (using
standard technologies) for this purpose.
 They tie up with popular websites like
Yahoo, Amazon to create an extensive
data and information sharing network
Cookie based Marketing
 How it works contd.
 Code developed by the company is
placed on these web sites.
 When you hit another such site, it sends
data placed in your cookies to
DoubleClick and retrieves marketing
information about you enabling them to
customize ads etc
 Result: One person may see ads for
sports goods and another for baby
clothes
Cookie based Marketing - Schema
Web Server Ad Server
SEND - User ad server id
- IP address

GET - Consumer profile and/or

- Targeted banner ad

SEND
- Regular page content
- Targeted advertising
GET
- Cookie based info
- User ad server id
- IP address

User Computer © Ravi Pai Panandiker

Cookie Viruses?
 On most platforms, Cookies are stored as text
only files. To cause damage the Cookie must
be an executable
 On Windows, text files are non-executable
and would open in a text editor if double
clicked
 In general, there are easier loopholes for a
hacker in ActiveX controls, Outlook Express
etc
 The threat from Cookies is not from what they
can do to your computer but what information
they may store and pass on
Cookies, Privacy and Legislation
 Concern about misuse from Government
agencies and non-profit organizations like
Internet Engineering Task Force (IETF),
Electronic Privacy Information Center (EPIC)
 Study by govt.’s Computer Incident Advisory
Committee (CIAC) in 1998
 Bulletin concluded that there was more hype
than hazard from Cookies.
 Agreed that tracking people’s browsing habits
makes many users uncomfortable
Cookies, Privacy & Legislation
 New proposal put forward by IETF together
with Netscape and Microsoft to modify the
Cookie standard.
 Proposal is being backed by leading non-
profit organizations
 Proposal will limit persistence and make
Cookie activity more transparent.
 Key aspect of proposal is to disallow 3rd party
server access to cookies.
 Would destroy Cookie based marketing.
Conclusion
 Cookies were originally created as harmless
pieces of text for user convenience
 Along the way, some evil geniuses found a
way to exploit them for business
 Most studies conclude are not harmful to
user: Would you rather see an ad for a
product that’s relevant or one you’d never
buy?
 The paranoia arises from the invisible nature
of cookie transactions and inadequate
information about their ability.
Sources
 www.cookiecentral.com
 www.echoecho.com
 www.wmlpulse.com
 www.epic.org
 www.ciac.org
 www.howstuffworks.com
 www.webmonkey.com
 www.ozemail.com.au
Questions or Comments?