Confused about Cookies? Why call them “cookies” and what are cookies doing on your device?
Let me Explain:
I will tell you what these strange little internet cookies are and present you with some stories about where they got their name. We will then look at how your computer/device uses internet cookies today and what strange new super cookies are lurking in the shadows.
|Ever heard of a Zombie Cookie . . .|
|. . . It comes back from the dead . . .|
|. . . I will tell you how later!|
So what are Cookies?
Web browsers create simple text files called cookies when you visit websites on the internet. Your device stores the text files locally allowing your browser to access the cookie and pass data back to the original website.
And what they are not:
Internet Cookies are not programs or viruses and do nothing on your computer/device by themselves. Cookies simply store information with the aim of improving your web experience and help speed up the internet.
Why does my Browser create Cookies?
Websites you visit or providers of advertising banners on the page you are viewing can tell your browser to create a cookie. They create the cookie to hold data about you, keeping track of your activity and preferences. The aim is to improve the website and perhaps speed up your experience by not needing to ask for the same information multiple times.
What do websites do with this information?
Typically websites store basic information such as the websites name and your user id. A website can then use the stored data to retrieve your preferences when you next visit. They may also record other information about your activity. For example, the storing of your search queries. This information is then used to present targeted adverts.
Should I worry about Cookies on my device?
Some people consider the cookie to be a simple, harmless tool designed to make your life easier. Remember it is only a simple text file and by itself can not do your device any harm.
Others look at internet cookies as if they were evil and intrusive spying mechanisms, tracking your every move on the internet.
What do you think, good or bad?
|Harmless text file . . .|
|. . . Intrusive spying tool . . .|
|. . . Or simply misunderstood?|
Let’s find out . . .
Are all types of Internet Cookie the same?
The internet cookie has many names and aliases which can all add to the confusion over what they are. HTTP, Web, Computer or Browser can be placed in front of the “cookie” name. They all relate to the same simple text file used to store information.
Other terms, such as transient or persistent, can be used to refine how the text file is stored. There are then variations such as Secure Cookies or Third-Party Cookies which behave a little different.
There are other even more exotic types…
The Flash Cookie and the Zombie Cookie are very different creatures, raising concerns around privacy.
I will explain each type later and why you may want to try and avoid some of the more exotic versions.
Why are Cookies called Cookies?
The term “Cookie” is a strange name to give to a small text file. There are many different stories about where the cookie name came from. The browser cookie concept can trace its beginnings back to Netscape Communications in 1994. A programmer called Lou Montulli had the idea of using a text file to store information. This file would store purchases on each user’s local computer as a way of creating a virtual shopping cart.
Further back in history the mystery begins:
The true beginnings of the term “cookie” are quite hidden. Here is a selection of the most popular origin stories. Read through them and vote for the one you like best and if you have any other internet cookie stories, then leave a comment.
The Hansel and Gretel Cookie Theory
|Some people believe the name for internet cookies came from the fairy tale about two children called Hansel and Gretel. The children were able to mark their trail through a dark forest by dropping “cookie crumbs” behind them so that they could see where they had been. I think this story paints a nice picture of that ability that internet cookies have to track your activity.|
The Cookie Monster Easter Egg
|After a clever programmer left his company, strange things began to happen. Every so often, the computer system would completely stop and the screen would display a message: “Gimme a cookie”. The system would not return to normal until the operator entered the word “cookie” into the system. The root cause was well hidden in the code and could not be found or removed without a complete rewrite. It was decided to leave the code in place and train users to “give the machine a cookie”!|
The Magic Ticket Cookie
|The “Magic Cookie” is another internet cookie story that I came across. Programmers used the name magic cookie to refer to a token or a short piece of data that passed between programs. The contents of this cookie file could not be seen and would not usually be accessed until the a program had passed the file back to the sender at a later time. The file is often used like a ticket to identify a particular event or transaction. Sounds similar to the browser cookies we know today.|
The Chinese Fortune Cookie
|Some people may have heard of the Fortune Program from large Unix systems. At startup the system would present a new quote, joke or general information to the user who was logging in. The information was stored in what was called a “cookie file”. Local administrators often changed the file to add their own personal statements. So did the internet cookies we know today get their name from this Unix program?|
Are there any Security Concerns with Cookies?
Internet cookies by themselves are safe. They simply store information that you have entered or they receive from your browser. That information is only available to the website that you were visiting.
But, there is a but:
It is possible for them to be used for malicious purposes.
They can be used as a form of spyware. There are many anti-spyware packages available. Some of them will list certain internet cookies as potential threats. All browsers have built in privacy controls now days. These controls can provide levels of cookie acceptance, retention time, and disposal. Backing up your computer can give you the peace of mind that your files are safe.
So what Risks do Cookies present to me?
Cookies are not programs as they can not do anything by themselves. They simply act as a temporary storage space on your local device. A text file cannot gather any information by itself. It is not able to collect any personal information from your machine. These text files can be viewed through a simple editor although normally they are encrypted to help protect your personal information.
Cross-Domain Theft – What is it ?
Each file can only be accessed from the internet by the original website that created the file. This is a key security feature built into every browser. This security concept is referred to as Same-origin Policy and is integrated into
every web application’s security model. In principal a web browser will allow a script in one web page to access data in a second web page only if both web pages are from the same origin i.e. the same website domain.
This helps to protect your computer and personal data from cross-domain data theft. The term cross-domain is where one website domain tries to read the information created and stored by a different website domain. Preventing cross-domain access ensures that website abc.com can not read a cookie that was created by website xyz.com.
What about Viruses?
Internet cookies do not have viruses in them. They are not capable of installing malware onto your device. So you don’t need to worry that some weird cookie will carry a virus and spread problems on your device.
But then again – there are Tracking Cookies!
Tracking Cookies can store long-term details of your browsing history and patterns. These often take the form of third-party tracking cookies. This long term storage of your activity does raise serious privacy concerns. It encouraged European and US governments to take action during 2011. Cookie Law is a topic that is growing and I will be writing an articles to discuss how the new EU cookie directive effects websites. EU Law coming soon.
What types of cookies are there?
Hopefully we now have an understanding of what cookies are used for.
Lets us now look at the different types of internet cookie and their use. There are two main types of file. One is a session cookie and the other is a persistent cookie. Both have a different roles to play. Lets read a little more and understand the differences.
A session cookie, also known as a transient cookie, is stored in temporary memory and remains available for the duration of your active “session” within the browser. When you close your browser it is automatically removed from memory. On your next visit to the website, you will not be recognized and will therefore be treated as a completely new person. This is because there is nothing in the browser to let the website know you have previously visited.
Short-term Cookies Play Nice:
This type of cookie can allow a website to keep track of your movement from page to page within that website during an active session. This helps ensure that a web page does not ask for the same information multiple times. This is beneficial as it negates the need to login multiple times as you navigate from one page to the next.
Session cookies do not collect information about the user, but typically store data in the form of a unique identifier that does not personally identify you. They are never written to the hard drive. Often they are set to become invalid after a time period of inactivity.
A persistent cookie, also known as a stored cookie, is a file that is stored on a user’s computer or device. This is the type of cookie most people are familiar with. These text files are created and stored on your hard drive. The file would remain on the device until it reaches its expiration date. At this point the browser would purge the cookie from the hard drive. On every subsequent visit to the website the browser will send the cookie file back to the website. Because a cookie’s information can uniquely identify a client, it can indicate how the user initially came to this website. For this reason, they are also sometimes referred to as tracking cookies.
So why have them?
The benefit of a persistent cookie is that it can result in faster and more convenient access as it can store login details that remove the need to login on each visit to the website. In addition to authentication, other website features are possible through the use of the persistent cookie such as; menu preferences, preferred theme, language selection or even internal site bookmarks. On your first visit, the website is presented in default mode. During this time, you select your preferences and they are remembered, like a session cookie. But they persist from session to session. An expiration date is added which is issued by the web server to the text file. In some cases, persistent cookies are set for very long time frames. These can also help a webmaster find out who is a new viewer and who is a returning viewer.
Secure & Http Only Cookies
Third party cookies are files that have been written onto your device by a website that is different from the website you are actually visiting. The word “party” helps clarify this idea as it refers to the actual domain or website that places the cookie onto your device.
|Let’s consider the term ”party” . . .|
|. . . No – it’s not about having a good time . . .|
|. . . It refers to who is actually creating the cookie|
Third Party Cookie Example
You visit www.abc.com and a cookie is created by the website. The domain of that cookie would be “abc.com”. This is what we would call a First Party Cookie as the cookie was created by and belongs to the website you visited.
Let’s consider visiting www.abc.com again, but this time it has an advertising banner on its page owned by “adverts.com”. Now when you visit www.abc.com the banner ad creates its own adverts.com cookie and places it on your device. This new cookie has the domain of “adverts.com” because the banner ad was loaded into your browse from adverts.com. This is a third party cookie as the cookie created belongs to a different website from the one you were actually visiting.
Why would they do this?
Let’s say you go to a new website called www.xyz.com. They also happen to have a banner ad by the same organisation, adverts.com. The cookie previously created by adverts.com when you were on the first website (www.abc.com), can now be opened and read by adverts.com and read where you had previously been. This allow Advertiser.com to track your activity.
How are Third Party Cookies created
A third party cookie can be created if the web page you are opening loads ANY content from another website/domain. By simply having a piece of content such as an advert from a different site loaded on the web page you are viewing, you are granting permission for that different site to create its own cookie on your device.
Who uses Third Party Cookies
Some advertisers use third party cookies to track your visits to various websites on which they advertise. Many major websites track their visitors’ behavior and then sell or provide that information to other companies. Tracking is a term that includes many different methods that websites, advertisers and others use to learn about your web browsing behavior. This includes information about what sites you visit, things you like, dislike and purchase. They often use this information to show ads, products or services specifically targeted to you.
How do Third Party Cookies work
You visit domain www.Interesting.com, the web pages on that domain may feature content from a third party domain. For instance, there may be an advertisement run by www.Advertiser.com showing graphic advert banners. When your web browser asks for the banner image from www.Advertiser.com, that third party domain is allowed to set a cookie. Each domain can only read the cookie it created, so there should be no way of www.Advertiser.com reading the cookie created by www.Interesting.com. So what’s the problem?
What if Advertiser.com is on LOTS of websites?
Some people don’t like third party cookies for the following reason. Suppose that the majority of sites on the internet have banner adverts from www.Advertiser.com. Now it’s possible for the advertiser to use its third party cookie to identify you as you move from one site with its adverts to another site with its adverts.
But they don’t know who I am!
Even though the advertiser from www.Advertiser.com may not know your name, it can use the random ID number in the cookie to build up an anonymous profile of the sites you visit. Then, when it spots the unique ID in the third party cookie, it can say to itself: “visitor 3E7ETW278UT regularly visits a music site, so show him/her adverts about music and music products”.
A survey in the USA found 84% of people outraged by the idea of advertising companies building up profiles about their browsing habits, even if in some cases the profile might be anonymous? Reports and research on the subject of website tracking tell us that the rejection of third party cookies is growing. Increasing numbers of people are trying to stop and block them, or at least trying to delete their cookies regularly.
The Infamous Flash Cookie
Flash Cookies (aka “Super Cookies“) are unlike typical internet cookies. Flash cookies are different because they are independent of the browser. Written by Adobe Flash they are designed to be permanently stored on your computer. A Flash Cookie could be created when you visit any site that uses Flash on its pages.
So What is a Flash Cookie?
Adobe use the term Locally Shared Objects (LSO) to refer to flash cookies. When you open a website that is running Flash, you allow Flash to create one of these Shared Objects. Every subsequent visit to any website running Flash and the locally shared object, in other words our flash Cookie, can be accessed again. This is a type of Super Cookie as it has super powers that allow it to remain on your device even after you have removed all cookies from your browser! It is also able to cross domains, being created in one place and read in a separate domain. This raises security concerns.
Flash Cookies vs HTTP Cookies.
Regular computer cookies are browser based. This means you can easily remove them via browser tools (read my article about deleting these files). Super cookies are more difficult to detect and remove from your device because they will not be deleted in the same way. They are designed to function in the same manner as regular cookies, storing details about browsing history, personal preferences, authentication details or ad-targeting data. However, they are also designed to not be removed from your device therefore being able to store weeks or even months worth of data. This data can extend to your location, time zone, photographs, text from blogs, shopping cart contents and even e-mails.
Flash Cookie Concerns
Most alarming is the fact that many websites are not up front about using Flash technology on their site. You are therefore not aware of the possibility that your data may be tracked. The issue of super cookies is a difficult one to deal with. As technology moves forward there will be measures created to deal with them, but flash cookies are not the product of a criminal individual. They are created and maintained by large corporations who collect this data in an effort to better understand and serve their customer base.
No matter which side of the cookie debate you’re on, the next time you visit a flash enabled site you’re likely allowing a cookie into your computer that will collect and transmit data.
One of the aspects that makes this type of file so special is its ability to be triggered each and every time you visit any site with Flash enabled. Unlike normal internet cookies that are restricted to a single domain, this type of cookie can interact with multiple websites and therefore collect data as you navigate from site to site.
How do Flash Cookies work?
Normal HTTP cookies can’t save more than 4 Kilobytes of data while Super Cookies can save up to 100 Kilobytes. Sometimes the reasons behind a Flash Cookie is to allow for the creation of two cookies on the user’s machine. 1. A standard http cookie that the user can erase. 2. A flash cookie that the user most likely is not aware of because the existence of these flash cookies are not well known. This practice is very deceptive because by deleting cookies, the user is clearly rejecting attempts to be tracked. Using this obscure technology to subvert these wishes is a practice that perhaps should not be allowed.
Dive a little Deeper into the Flash Cookie.
Adobe Flash Player does not actually allow third party locally shared objects to be shared across websites. If a flash cookie is created by “abc.com”, it would not by default be available to another domain such as “adverts.com”. However, the first party website could use the flash cookie it creates to pass information to a third party using certain settings found in the dedicated XML file. Also, third party LSOs are allowed to store certain data elements by default. This stored data can be shared across different types of browsers on the same machine.
As an example:
A visitor opens a website using their Firefox browser. They then view a page that displays a specific product. The visitor then closes the Firefox browser. The information that was just viewed about that product can be stored in the Flash Cookie / LSO.
Now lets say the same visitor on the same device uses an Internet Explorer browser. When they visit any page from the site that was just viewed through Firefox, that site can read the Flash cookie / LSO values through the Internet Explorer browser. The website can now display dynamic content or otherwise target the visitor even when switching between different browser applications.
Flash cookies are browser independent. This gives them another super power allowing them to transition across browsers as well as allowing information to be passed between websites.
One of the main problems with flash cookies is that browsers do not clear them when the user deletes the cookies on their machine. This type of internet NEVER expires and some of them even contain the name of your computer and the file path/ directories of key files. They can share data across domains without our knowledge or permission. Cookie Preferences can be ignord. Adobe Flash Cookies can be used as a Trojan to reinstate removed cookies that the user has flushed.
The Zombie Cookie is born!
I’ll tell you more about the Zombie cookie in the next section
Flash Cookie Lawsuits
New York Times highlighted concerns. In the United States there have been at least five class-action lawsuits against media companies.
How Can I detect and remove Super Cookies?
Software I can install
I am working on pulling together a list of tools that will help you control your cookies. Please come back ina few weeks to see what I have found.
Antivirus software that also removes Super Cookies
Websites you can visit to help control the use of Super Cookies e.g. Adobe and Macro Media
Browser Addons such as Better Privacy for FireFox
CCleaner for PC and Flush.app for Mac
The Zombie Cookie is born!
use of Flash cookies to ‘re-spawn’ or bring back to life traditional internet cookies
What are Zombie Cookies?
Internet Cookies that rise from the dead. Zombie cookies come back to life after you kill or delete them. UC Berkley first identified the Zombie Cookie when they noticed that after deleting cookies the cookies kept coming back over and over again. No amount of deleting them would kill them. Many people have absolutely no idea what a zombie cookie is, or that they even exist. Until a massive lawsuit in 2009, which targeted some of the biggest names on the web. Differences between Zombie Cookies & regular cookies.
Regular Cookies vs Zombie Cookies
Stored in Browser Stored in Flash or Silverlight
Easily blocked and deleted from browser Blocking and deleting them is not easy
Size= 4kb Size = upto 100kb
Work with only one browser Work across all browsers on the same machine
How do they work exactly?
What you think happens: You visit a website, They plant browser Cookies.
You visit the website again, and they retrieve those cookies.
You can block them or delete them, and that’s that.
How do they work exactly?
What REALLY happens (in some cases): You visit a website, They create internet cookies AND Adobe Flash cookies.
You block or delete regular cookies. Doesn’t matter!
You visit the website again, they check for regular cookies – No luck?
They check for Adobe Flash cookies, which are EXACTLY the same, if not even more detailed (remember 4kb vs. 100kb). So in a sense, you deleting or blocking internet cookies doesn’t matter. Zombie Cookies are there.
Who has used them?
ESPN, MTV, HULU, ABC, MySpace, NBC, YouTube, Scribid, and that is just for starters. It isn’t even the tip of the iceberg when it comes to who is hiding zombie cookies on your computer.
Purposes of using them.
Marketing Research or Tracking personal browsing habits.
Since Zombie cookies have a bigger size they can store more detailed information about users’ behavior and can remember unique visitors. Different types of browser can store and share your information. Deleting cookies would not prevent websites from controlling your interaction with them.
Fact: almost 98% of computers have Adobe Flash. This means means almost everyone is exposed to Zombie Cookies.
Some people feel that if you delete or block a cookie, it should stay deleted. Regular deletion of cookies will not effect Zombie Cookies. Some people consider sites that use them to be breaching their privacy. Clearspring and affiliated sites owned by Walt Disney Internet Group, Warner Bros and others had a huge lawsuit filed against them. Adobe Flash cookies were the focus. They were being used to “track Plaintiffs and Class Members that visited non-Clearspring Flash Cookie Affiliates websites by having their online transmissions intercepted, without notice or consent”.
How to kill them?
Before: You had to uninstall Adobe Flash, and re-install it.
Now: Go to Adobe’s webpage and set controls on the Global Privacy Settings page (Google this for more details). If you use Firefox you can get rid of Flash cookies – including zombie cookies- by using theBetterPrivacy add-on.
This is an example of a VERY persistent cookie file. A cross between the Super and Zombie cookie types.
Talk about the possibility of invasion of privacy and the possible misuse of personal data.
Read my post below to learn how such internet cookies can be misused!