Home Page -> Commentary -> 5 July 1997

Comment of the Fortnight
5 July 1997
Cookie Paranoia

I recently had a conversation with a person who was afraid of getting on the Internet because he had heard about people storing "cookies" on his computer. He was afraid that this was a big security risk.

I explained to him that a "cookie" is, indeed, data that a web site stores on his machine. However, these cookies are keyed by the site that stores them. That is, if company 1 at www.company1.com sets a cookie, only web pages that also come from www.company1.com can retrieve that data. Web pages from www.company2.com don't have access to company 1's cookies, and vice versa.

"Yes," he said, "but what about company 1 taking all the cookies and selling them to a mailing house?"

Well, they can already do that without cookies. When you visit company 1's site, it's already possible for them to gather certain data and store it on their computer, and you will have absolutely no clue that they are doing this. (You can at least set your browser so that it will notify you whenever someone tries to set a cookie.) The only difference is that the cookie saves the company disk space by keeping the data on your disk. In fact, you can go into the cookie file on your disk and wipe out any cookies you don't like! This is an option you don't have when the company keeps the data to itself.

What's in a cookie, anyway? Most of the time it is NOT personal information about you (like your name, address, social security, etc.) Instead, it's usually a cleverly encoded number that tells how many times you've visited a page, and what was the last page you looked at, so that a website can "pick up where you left off" the next time you visit.

In fact, if you don't fill out a form, just about the only thing that a company can reliably count on finding out about you is your IP (internet protocol) address. This address looks like a set of four numbers, like this: 192.93.38.10 It is possible that they can also obtain your domain/name (like internet_provider.com), and possibly even your user name. But neither of those is absolutely guaranteed.

"Can't they find out my phone number by setting a cookie?" he asked.

No. No way at all. If you don't fill out a form and give your phone number, that information is totally unavailable to the web site.

-o-
So yes, cookies are a way for a company to keep track of where you've been within their site. There are security issues involved with cookies, but don't go overboard. Cookies aren't some horrible ogre waiting to spit out the name of your firstborn male child, your ex-wife's address, or your deepest darkest secret at a moment's notice to anyone who passes by.

Back to top of page