Location: Bowdoin / Information Technology / Cyberhygiene / archives / Cyberhygiene

Information Technology

Connectivity

Hardware & Software

Equipment

Consulting Services

Business Partners

Business HUB

Cyberhygiene

Should I Disable Cookies on my Browser?
February 03, 2006

by David Francis, Web Programmer, Information Technology

Today's modern browsers have sophisticated settings for managing what content you will accept from a website. On most browsers you can choose to suppress pop-up windows, client-side scripts, Java/ActiveX controls, and Cookies. In an era of Internet-spawned viruses, worms, and Spyware people are trying to do whatever they can to protect their computers, and setting the highest possible security settings on a browser can give a user a sense that they are doing their utmost to prevent problems. However, turning off such items as Cookies provides very little (if any) extra security for your computer and can result in a highly diminished experience. In this article I will discuss what Cookies are, what they do, and why you shouldn't be afraid to use them.

What are Cookies?

Cookies are simple text files that a browser saves on your computer based on a request from a website you visit. Normally your browser disallows a website to write anything to your computer, but for convenience sake, browsers allow this simple, highly regulated process. Below is a cookie that gets set on your computer when you visit the Bowdoin Faculty-Staff digests:

digests_usertype
staff
www.bowdoin.edu/digests/
1536
1779375104
29836851
4049901200
29763425
*

This small scrap of text tells your browser to remember that when you go back to the www.bowdoin.edu/digests URL that you are a staff person and should see the Faculty-Staff digest by default. This is just a simple example of a Cookie providing a convenient shortcut for a user.

Why are Cookies Safe?

The World Wide Web Consortium says this about Cookies:

Cookies cannot be used to "steal" information about you or your computer system. They can only be used to store information that you have provided at some point. To give a benign example, if you fill out a form giving your favorite color, a server can turn this information into a cookie and send it to your browser. The next time you contact the site, your browser will return the cookie, allowing the server to alter background color of its pages to suit your preferences.¹

Unlike viruses or Spyware, Cookies are not uncontrollable, unpredictable bits of code that covertly find their way onto your system. In fact, Cookies are highly regulated and manageable. Here are some of the enforced properties about Cookies that make them harmless:

They are simply text. Cookies are required to be simple text--they cannot be software such as a virus or Spyware.
They are localized. A website doesn't have access to your computer's file system. If it wants to place a Cookie on your computer, it can only set it in the Cookie folder specified by your browser.
They are limited in size. Browsers do not allow Cookies to take up more than a set amount of space.
They are manageable. Unlike Spyware and viruses, Cookies are up-front and transparent. They aren't meant to be hidden or covert. Browsers allow you to remove Cookies at any time or even set what sites may set Cookies.

What about Privacy Issues?

cookiecentral.com notes that:

If you're going to single-out cookies as your sole vulnerability to personal privacy, you should re-examine how you live your daily life.²

Their point is simply that the privacy concerns related to Cookies pales in comparison with the privacy risks involved in, say, using a credit card, online banking, or ordering from a catalog. The built-in safeguards discussed above prevent Cookies from ever becoming a serious liability, but some annoying businesses like doubleclick.com make use of Cookies to track data about people visiting websites. But even this behavior is limited by the inherently benign nature of Cookies. Here is what happens:

A website, such as a widgetsareus.com helps pays the bills by allowing advertisers place ads on their website. The images for these ads actually live on a different website run by a business such as doubleclick.com and when you fetch their content they send back a Cookie to store on your computer that remembers that you have interest in widgets. Then the next time you visit a website that has advertisement hosted by doubleclick.com, doubleclick.com can read the Cookie and decide what the best kind of advertise to place on the page based on your past visits.

This is sneaky behavior, but you will have to agree it isn't on the level of identity theft exactly. And doubleclick.com is only reading its own Cookies. All they have for data is a timestamp, an IP address, and some information about your browser (information you leave behind for every web site you visit, Cookies or no). They don't have some way of grabbing information you didn't provide (such as your name, address, email, etc.). It isn't actually stealing any data about you that it couldn't get without the aid of Cookies, it is merely using the Cookies technology as a sort of categorizing agent.

What Should I Do Then?

If you enable Cookies and let any website set one, you will not be opening yourself up for any serious security problems. I personally have never bothered to worry about Cookies. On the other hand, if you still have concerns about cookies, browsers such as Firefox allow you to selectively allow websites that may set cookies. So, for example, if I have managed to convince you that Bowdoin-made Cookies are harmless, but you still despise the idea of someone like doubleclick.com using you for their advertising tools, you can choose to allow cookies for only certain websites.