Privacy And The `Cookie' Monster

Cookies are devices that track your visits to Net sites--unless you foil them

Cookies, I've learned, can be controversial. After I wrote a column a few weeks back (Nov. 11) about protecting your privacy on the Internet, most of the responses from readers raised questions about cookies. These are bits of data on your hard drive that World Wide Web sites can use to keep track of your activities.

Originally named "magic cookies," for tokens that have mystical powers in role-playing games, cookies are a powerful device for Web-site designers. If a Web server can figure out whether visitors have been there before and what they have seen, it can customize content, such as the personalized home pages that are offered by Netscape and Microsoft.

MOONLIGHTERS. Cookies are simply entries in a file consisting of the name of the Web site, an identification code unique to the file, and some other data. When you visit a site, it can check your cookies file to see if you've been there before, then act accordingly. For lots more information on what cookies do and how they work, check out cookie.fcgi.

Controversy arises because cookies can be used for more than bookkeeping. Contrary to reports that have gained credence on the Internet, Web sites can't use cookies to suck your name or E-mail address off your computer or otherwise spy on you. But if you have registered by name at a Web site, the server can track your actions, including where you came from and what pages you've looked at, then use a previously deposited cookie to link the data to your name and address. Some site owners sell the information to advertisers and other interested parties. Not surprisingly, many folks object to this snooping and marketing, especially when it is done without their consent, or even knowledge.

Fortunately, a combination of technology and consumer pressure on business could tame the worst abuses. The Netscape Navigator 3.0 and Microsoft Internet Explorer 3.0 browsers can be set to notify you when a Web site wants to deposit a cookie (the built-in America Online browser does not support cookies.) You can then decide whether to take it or not, accepting a cookie from, say, Netscape, while rejecting one from a site that you suspect will bombard you with junk mail.

To get rid of cookies on your hard drive, find and delete any file called "cookies.txt." To control new cookies, if you use Netscape (Mac or Windows), click on the "Options" menu, then "Network Preferences." Select the "Protocols" tab and check the box marked "Show an alert before accepting a cookie." In Internet Explorer (Windows 95 or NT), choose "View," then "Options" from the menu, and check the box on the "Advanced" tab.

In the future, you may get some help in choosing whose cookies to take. CommerceNet, a business consortium promoting Internet commerce, and the Electronic Frontier Foundation, an advocacy group, have set up an organization called eTrust ( to rate the privacy policies of Web sites.

THE PLEDGE. The assumption behind eTrust is that Web users should make informed choices. Sites can get one of three eTrust logos, depending on whether they pledge to collect no data on users, collect it only for the site owner's use, or disclose the terms on which they supply the data to third parties. eTrust is currently recruiting companies to participate in a test of the system.

I keep an eye on my incoming cookies, but accept most of them. I suspect you'll probably want to do the same. The technology is too useful to abandon just because a few site owners are unscrupulous. And our choices will become easier if the approach being pioneered by eTrust catches on.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE