Cookies- Not Spyware

by SpywareGuide Staff

We frequently gets questions from users about the use of cookies. Frequently this happens after a “spyware scan” where the users wonder why these spyware cookies were not found by our scanner when another scanner picked them up as a "threat".

While there are privacy implications associated with cookies we feel that they should not be classified as spyware. The cookie, like any internet technology, has the potential for abuse but it also performs many vital functions that contribute to efficiency and speed of the Internet experience.

Are cookies spyware?

No. There is nothing mystical about the cookie. They are merely text files that are placed on a user's computer by Web sites that the user visits. Cookies may contain and provide identifying information about the user to the Web sites that place them on the user computer, along with whatever information the sites want to retain about the user's visit. They do not install trojan horses or malicious code. They do not monitor keystrokes or steal your credit numbers.

If not Spyware Then What?

Typically Web sites use cookies to track visitor information. For example, a surfer might shop for an item in an online store, but once they have placed the item in their online shopping cart, they decide to comparison shop at another site. The online store can choose to save the information about what products were in the shopping cart in a cookie on the surfer's computer. When the user returns to the site, the product is still in the shopping cart and ready for the surfer to checkout if they wish to complete the sale. This is a matter of convenience and a great use of cookies to provide convenience. In reality it is not possible to shop at most online stores without the use of cookies.

Another example of cookie use is with the targeting abilities of online ads. While many users don’t like online advertising it is a necessary component for web sites to generate revenue. Without revenue the site cannot pay for bandwidth, servers, programmers, artists, content writers and other resources it needs to remain open and serve users. Cookies, in this case, give the site some basic feedback on what the user may or may not want in terms of advertising. We feel that targeted advertising can be a useful resource for users and untargeted and obtrusive advertising degrades the value for the end user.

Could Cookies be Abused?

Any technology can be abused. Historically some developers have been known to use cookies to gather information without the surfer's knowledge. Perhaps this is one reason behind why they have been erroneously tagged as “spyware”. Usually this form of abuse stems from using cookies differently then the developer has stated in their privacy policy through omission or deception. This type of abuse is typically very difficult to pinpoint. Normally this type of abuse is not a major security threat but more a threat to the end user’s privacy.

Another point of potential and common abuse is in the work environment. Work supervisors have been known to audit the cookie cache. This means they may look through cookie folders and URL surfing history to determine where a user has been surfing or what they are doing with their time at the workstation. This is a "low-tech" form of spying. Cookies can provide a lot of information on a user’s surfing habits if you know where to look.

For example it is easy to probe through the browser and other program’s data to get a general idea of what a user is doing online or where they are shopping. Likewise it will show if a user’s machine has been connected to a URL that serves adult content. This is a case of a benign technology being abused for covert purposes. Keep in mind that in this case the cookie is still not doing anything malicious. The cookie is not spying on the end user- the supervisor is doing the spying.

In the work environment users should understand that nothing is private and everything is potentially open for inspection by the employer. Be aware of this ability to inspect your browsing at all times and consult your employee handbook if you are unsure of your work place privacy policies. Also be aware that employers may deploy true spyware technology to log what you do, where you surf, and every e-mail you send. This is a far more critical threat than auditing cookies. Also employeers can use packet sniffers to inspect traffic as it leaves your computer. The only defense to this type of spying is to use encryption.

What Should You Do?

Most importantly do not fall prey to the fear mongering that some company's use to sell their products. Cookies will almost always be found on your machine during a "scan" because they are used by almost every web developer. The presence of cookies on your hard drive is normal, natural and expected. They are not security threats waiting to steal your credit card information.

If you discover cookies on your machine (and you will if you surf) we advise you to take some advice from the Hitchhiker’s Guide to the Galaxy- Don’t Panic. For the most part cookies are a benign technology that usually requires human intervention for abuse. Ultimately the use of cookies is in the hands of the end user. You may want to block certain cookies, or simply delete them periodically or only after you end the browsing session. You can quickly do this in the X-Cleaner tab with the click of a button including the troublesome index.dat file.

You can also change your browser’s settings which will allow you to restrict the use of certain cookies or block them altogether. For advanced users you can take control of cookie use on your own.

In Mozilla and Netscape, go to Edit > Preferences.

With the latest versions (6.0+) of Internet Explorer, go to Tools > Internet Options.
Click the Privacy Tab and press the "Advanced" button.
Check "Override automatic cookie handling" and "Block" under Third-party cookies.
You can also set First-party to prompt but this can be tiresome- especially if you like to shop online.

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Read other articles (back to full list)