Ad-ware Spy-Ware

In the last year, "cookies" have become an increasing topic of discussion in the online world. A cookie is a small piece of information written to the hard drive of an Internet user when he or she visits a website that offers cookies. Cookie files are extremely small, comprising no more than 255 characters and 4k of disk space. Cookies can contain a variety of information, including the name of the website that issued them, where on the site the user visited, passwords, and even user names and credit card numbers that have been supplied via forms. Cookies are supposedly only retrievable by the site which issued them, and link the information gathered to a unique ID number assigned to the cookie "so that...information is available from one session to another."

The Unseen Side

When you hit such a site, it requests the cookie and take a look to see who you are, and any other information in your cookie file. It then sends a request to "doubleclick" with your ID, requesting all available marketing information about you. (They're very coy about where this information comes from, but it seems clear that at least some of it comes from your record of hitting "doubleclick" enabled sites.) You then receive specially targetted marketing banners from the site. In other words, if Helmut Newton and I log on to the same site at the exact same time, I'll see ads for wetsuits and basketballs, and Helmut will see ads for cameras. If you log in to a "doubleclick" enabled site, and it sends a request for your "doubleclick" cookie, and you don't have one, why each and every one of those sites will hand you a "doubleclick" cookie. Neat, huh? And you can bet they're going to be rolling in the cookie dough.

The main concern is that all this is done without anyone's knowledge. Some people may find the gathering of any information invasive to their privacy, but to the average level headed personal, the use of this information is harmless in itself as long as you know the limitations of these networks, who is collecting what information and for what purpose. On the other hand, what right should anyone have to collect information about me without my knowledge, and why should they break my right to privacy, you have to find the right balance between these views. One of the main issues is awareness.

So much for making the "client-server negotiation more efficient", whatever your view on tracking, the cookie protocol has certainly been manipulated for this use, against its original intent. Note that recent versions of Netscape have an option to show an alert before accepting a cookie and they also allow you to block cookies completely, see the Version 4 update and the Stopping Cookies page for more detailed information.

What Are The Chances of Catching a Virus From a Cookie?

A normal text based cookie cannot be of any danger to your computer or spread any viruses. Whether or not other cookies can be dangerous or spread viruses has to do with whether or not a file is "executable," meaning if it's a program rather than data. UNIX files, for instance, have some combination of the properties "readable," "writable" and "executable." The executable property is necessary to enable a program in a file to do something. If a cookie is not stored in an executable format for that platform, it cannot do something hostile.

Most cookies are not executable, and I have not come across one. In general Cookies are stored as text files and cannot be of danger or pass on viruses. Even if a cookie is executable it cannot automatically spread on a virus unless you execute it. But of course with recent bugs in Internet Explorer 3.0, it will let a site run a application. In theory, if a executable cookie was set with malicious contents, then it is possible that IE3.0 could execute it, then it could affect your computer with a virus.

The maximum contents of a cookie is 4Kb, and the line to delete the contents of a hard-disk is only 18 bytes long, so obviously the virus could do some damage even though it could not be a complete Trojan horse. Please note this is only a theory and I have never seen a cookie that was able to spread a virus, this would be virtually impossible, and would take a great deal of work. This theory is trivial compared to some other very real loopholes in the net. A loophole in ActiveX was demonstrated, and was able to access the underlying file system. There has also been some security problems uncovered in Java.

Basically cookies cannot harm your computer. The general controversy is not what cookies can do to your computer, but what information they can store, and what they can pass on to servers, there is currently a new proposal to limit the features of the cookie protocol, which would give people a greater control over what cookies they can accept and from where.