The Cookies FAQ

There are two common problems with logging into our site that involve cookies. The most common is that you have an older cookie that the site no longer recognizes because of a software upgrade or something. remove shows you steps in removing cookies.

The other problem is less common: the site may be blocked from giving you a new cookie – your browser may have blocked future cookies when you deleted the older ones. To fix this, see permit.

• permit – This website uses cookies for some services.
• remove – At times, you may need to remove our cookies, or someone else's.

Q What are cookies?

A Cookies are small pieces of text (your browser usally stores them as files) which the server gives your browser that act as “tickets” for what ever you are doing on the website. Often, they provide some sort of identity; Microsoft based serves often uses a 128-bit random number (a GUID) for cookies, other servers may use any random item that can be your ticket. If you login to the server, it may save some login information such as your account ID and a random string that identifies your session.

The important thing to know is that your browser will only give a cookie back to the server that issued it. So, if you visit a website that has a shopping cart, you quite possibly have a cookie the server uses to track what you said you wanted to buy. But no other webserver will ever see that cookie.

Q What can a cookie do?

They themselves do nothing. Do not be concerned that cookie contains a virus or an evil program of some sort has been placed on your computer. The cookie is a text file. It is not executable and it can't run like a program.

A cookie is used a “tag” on your computer like they “tag” bears on those Saturday morning wildlife shows that play right before the football games. That “tag” holds information that the server wants to be reminded of when you return:

• How many times your computer has stopped in.
  The server may post to a page a message welcoming you back for the ##th time.
• What your computer did while you were in the site.
  Let's say you go into a shopping site. You order six things from four different pages. The cookie records the purchase and the price. At the end, you click a button and your total is displayed. In addition, when you return, the server knows you have purchased before and may then send you directly to items you are interested in or offer a special as a return customer. You'll often hear this type of cookie usage referred to as a “Shopping Cart.”
• Keep track of a special name and password.
  When you log into this site, if you check the “Remember me” option, we'll set a cookie that allows your computer access to your user ID on this site then next time you come back.

Please remember that the cookie denotes your computer, not you1). The server has no idea who you actually are unless you tell them by offering your name or e-mail address.

Q Where does the term “cookie” come from?

It's an older bit of programmer slang for a piece of data stored to communicate between two processes, typically separated in time, and often as some kind of tag. The fuller form is “magic cookie.” It was used as far back as the late '80s, at least. The term “magic cookie” was probably originally coined in reference to one of those old adventure games (perhaps “Adventure” itself) in which you had to give some character a magic cookie to get something from it (analogous to cookie verification), but that may be a technology myth.

Q Why does the NPL website use cookies?

A If you login to the webserver and check the “Remember me” option, we save a cookie that has your user name, IP and password encrypted into it. If you return to the website with the same browser from the same IP address, the server will automatically log you into the server.

Q What if I don't allow Cookies? Can I still use the website?

A Generally, yes. Like most websites, we simply use either “Session Variables” or “Session Cookies” – assuming you allow at least session cookies. The value of these two technologies is simple: when you close your browser, all the information is lost, permenantly. In most cases, it was never written to the disk at all.

Internet Explorere 7 has an interesting option here (This could be one of the few redeeming things about any IE version) in that it has an option to force ALL cookies to be session cookies regardless of the webserver's request. This should be transparent to the user and the server; cookies are permitted but are deleted when the browser closes. However, there is currently a bug in the implementation; if you open a second window and close either of the windows, ALL cookies will be deleted and all session information is lost to the remaining window. So, the feature that exists is all cookies are deleted when ANY Internet Explorer window is closed.

Q Are cookies a security concern for me?

A Probably not.

• Cookies can not return any information from your computer that the original server didn't already know. If you didn't login, it doesn't really know who you are. And, just by knowing your IP, they know more than a cookie tells them anyway.
• Cookies can not be executed and can not be a virus and can not in any way alter your computer.

Q Can cookies be used for evil?

A Yes, they can. The most common “bad” cookie is a tracking cookie. They don't know who you are but they do know what you do online. Consider how Amazon is always advertising “People who bought X also bought Y” when they know you have also bought X. Tracking Cookies allow companies to say “People who shop on site X also tend to shop on site Y” which can influence things like where sites choose to advertise, what products they may add to their business, or even when to prevent specific advertisers because they are distracting customers away from your site.

But…!! We also said cookies aren't a security threat, right? Once you see that any request to a webserver can result in a cookie and, on any future request, that cookie can be returned to the server, then you can see the problem of banner ads and ”Web Bugs”.

Q Are cookies required for doing evil?

A Not at all. Your IP Address is currently a larger and faster growing concern because, unlike dial-up, broadband connections tend to have fixed IP addresses. This means advertisers need cookies less than before as your IP address is fixed and pretty much identifies you or your family. In fact, the latest trend in internet marketing is to trade data based on IP Addresses because IP addresses are like street adddresses, they have a geographic identity so that the advertising company can say “we have a user in a suburb of [pick a city] who has broadband and visits sites for these products more than once a week.”

They can also sell advertising to vendors based on the fact they know where you live. Have you noticed that you now get ads that say “Wouldn't you like to meet singles in [your city]?” This is IP address geography at work.

Another trend that most people are unaware of is the new ability to combine databases based on IP Addresses. When cookies were used, two companies couldn't say your customer 123456 is my customer xvRgTASmN … let's combine their data and our observations. Now they can say definitively these two homes are the same. In fact, they no longer seem to care if you are on dialup in most cases because your data still fits the statistical analysis for your community.

In general, cookies are anonymous and don't get shared across web servers to protect your privacy. These are good things.

The problem is how some people use graphics to “bug” your browser in the sense of listening for things you'd normally consider private:

• Banner ads generally come from someone else's site, not the one you think you are visiting – generally these are called “third-party servers.”
• “Web bugs” are also on third-party servers but are less obvious since they are generally transparent graphics or blended into the page so they are hidden to you … but they generate webserver requests that serve no apparent purpose other than give the sending server access to your browser and information … albeit, its still just the cookies they have sent you before, or send you with the graphic.

Web Bugs are images (Gifs, Jpegs, PNGs, etc.) that companies and organizations put into web pages, e-mails and other HTML supporting documents to track information about the viewer. These images are sometimes known by other names such as tracking bugs, pixel tags, web beacons or clear gifs. What ever the name, their function is largely the same.

Under normal circumstances an organization would just look at their web logs to find the kind of information that a Web Bug might provide them. However, if the content the web bugger wishes to track is not hosted on their site, but instead its hosted from a third party’s server, then the web bugger can not obtain this information since they would not have access to the web server logs. By putting an image from one of their servers into an HTML E-mail or a third party’s webpage the Web Buggers can find the data they want about the contents viewer. Some of the interesting information items that can be obtained about the viewer are:

* IP Address
* Hostname
* Operating System
* Web browser type (IE, Mozilla, Opera, etc.)
* Date the image was viewed
* If cookies are used
* other sites visted

“Other sites visted” includes site(s) you were looking at before this page, also called the “referrer.”

Note: Because all Microsoft products use Internet Explorer to view HTML, it means a web bug embedded in anything has access to the cookies in IE! In your E-mail using both Outlook and Outlooke Express, Word Documents, web pages, Windows Explorer, … etc.

A web bug is just as effective as a banner at at gathering information about you, but it is more subtle because its not visible. Many people find this secretive approach more offensive than the ever-present ads for pornography sites simply because you don't know when you're being watched.

With Banner ads and Web Bugs, the more sites you visit the more they get to know what you like and the more they show you ads for things you're more likely to be interested in. Even if your identity is just a random number, the server can learn things about you. For example:

• You visit a website that includes an advertising image from www.evil-example.com, for example. When you get that image, you also get a cookie that says you are user 123456.
• You visit other websites over time that also have an advertising image from www.evil-example.com which, when it passes you your latest ad image, the server also gets your cookie back and the URL of the page where you are browsing.

The advertising server for www.evil-example.com can now build a database saying user 123456 has visited [at least] two specific webpages and can keep count of how often and track your last visit. This means that, while it doesn't know who YOU are, it does know:

• your IP address is.
• your computer's operating system and browser.
• other servers you visit and what else you are seeing on the internet.
• they know if you click on their ad or not.

This data is why advertisers want their ads everywhere. Whether users click or not, they get data. So, when they get data 100% of the time, paying per-click is a pretty low rate. This is also a “dirty secret” about the banner advertisers; they really aren't too worried whether or not you click on the ads; the fact your browser asked for it makes them money anyway.

Target marketing is the motive:

• they want to know where the people who click on their ads tend to come from, the specific sites and pages;
• they want to know what they should be marketing on any particular page. Just like your grocery store knows to put spaghetti sauce next to the spaghetti noodles, they learn that if they advertise X next to Y they get a better response. The topic is called “data mining” and is way beyond what you asked .

Another violation of privacy has been observed: requests for Banner and Web Bugs may include identifying information about you which is then associated to the cookies on your computer. This allows the data about you across all the sites using that tracking GIF to build up quite a profile about where you go on the internet and what pages you see.

So, if you visit www.exploitivevendor.com and they send a page to you, then embed in the page a request for the GIF with extra data about who you are (it may simply be a customer number on their site – so still sort of anonymous). The site www.evil_banner_ads.com send the GIF, and adds your identifying info into your cookie or (worse?) into their database. Over time, other vendors add their tid-bits of ID to your information the same way.

Remember how cookies were tags for computers and not people? Well, if you access any of the participating vendors from another PC, site www.evil_banner_ads.com can connect the user at your home PC with the user of your handheld or laptop PC, or even when you are at your parent's home fixing their PC … no longer are any of these users really anonymous any more. This is where cookies go really bad. And its not the cookies fault.

Q Is there a way to stop all this advertising stuff from taking advantage of me?

A Yes, there are a number of ways depending on your system:

• Use options to block (or at least prompt you about) cookies from “third-party sites” – since you are on www.puzzlers.org you shouldn't expect to see cookies from ads.doubleclick.net – and this blocks just the cookies, so you can see the ads, but they can't see you which is, as Martha would say, a very good thing.
• If you use prompting for “third-party cookies,” you should use the opportunity to black-list the sites (when asked, “block” + “Always use this answer for this server”). You will be surprised how fast the advertising drops on web pages.
• For Windows users, a piece of software called Spybot Search and Destroy includes a feature to “immunize” your PC. What this does is add a list of about 31,000 servers to your computer's blacklist (for IE versions only) and your computer will no longer make any requests to these sites. Spybot is FREE and can updated easily. It also removes about 70,000 internet related problems from your computers in just a few minutes. See also: Spybot Search and Destroy's new home page.
• Also for Windows users, several of the Anti-virus software companies are creating their own blacklists and preventing your browser from getting addresses from specific advertisers. Sometimes these are called “internet security” packages.
• Google is provides search results for a huge number of websites, but has recently introduced a “grey list” of sites that generate a warning of “these sites seem to be hazardous to your computer” to reduce your opportunities to be infected.

See also:

• http://buddymarks.com/privacy.php
• http://www.junkbusters.com/cookies.html