Cookie monsters
Cookies are used to personalize the Web browsing experience. Essentially, they are pieces of data written by a Web server that are stored on a user's PC. When the user returns to the site, the cookie is transferred back to the server.
Among other things, cookies track a user's keystrokes on a site, which helps the site deliver more targeted or timely information. A cookie issued by the New York Times, for example, might prompt the site to display a page of business news first, depending on the user's interest.
Simply knowing that cookies can track their Web whereabouts is enough to cause some users alarm. But that alone shouldn't be cause for concern, according to Stanton McCandlish, program director for the Electronic Freedom Foundation in San Francisco.
"Cookies don't in and of themselves pose any privacy risk," McCandlish says. "The concerns come up when companies share cookies."
What you can do about cookies
Imagine searching Alta Vista for sites on cigars, says Srikanth Chari, founder and vice president of strategic marketing at CyberMedia in Santa Monica, Calif. That search winds its way to DoubleClick, which sends a cookie to the users' PC, tracking subsequent keystrokes."Right now, [the cookie] information is being used for better banner advertising," Chari says. But eventually, such "smoker" information could be bought and used by insurance companies and employers, he suggests.
EFF's McCandlish believes that scenario is unlikely. "Vendors realize how serious the issue of protecting privacy is. If a company were to start selling cookies to an insurance company, that would be a death knell-- an absolute scandal," he says.
And DoubleClick, for its part, claims it doesn't know the names, email addresses, phone numbers, or home addresses of anyone who visits a site in the DoubleClick network. The information DoubleClick gathers with cookies is used only across the DoubleClick Network in the context of ad selection.
Nonetheless, DoubleClick's technical ability to collect personal information and create huge databases for resale means that sites with less integrity could also do it-- and that's what worries privacy watchdogs.
Power to the people
McCandlish and Chari agree that users need better tools for managing cookies. Netscape Navigator and Internet Explorer give users three primitive choices: accept all cookies, deny all cookies, or accept or deny them on an individual basis. The last choice is worst of all. With some websites pushing up to 20 cookies per visit, users can easily spend all of their time clicking on accept or deny.
At the very least, the browsers should allow users to accept or deny cookies on a per-site basis, McCandlish says. CyberMedia recently shipped software that does just that. Guard Dog, which retails for about $60, also protects a user's valuable files against viruses and hostile applet attacks.
Guard Dog's de facto recommendation is that users accept cookies from sites they visit, but not from third parties such as DoubleClick.
"We think there are legitimate uses of cookies," Chari says. "The problem is when cookie information is used in a way the original site did not intend."