Cookies are tiny bits of information that is stored by a web site when a user enters its site. The next time the user enters that site; the user's browser sends the information back to the site (Andrews, 1996). A cookie is typically designed to remember and tell a web site some useful information about the user.
Cookies are invisible to users, unless the users set preferences that alert them when cookies are being used. In most cases, cookies are harmless (Cole, 2002). Cookies cannot be used to gather personal information about users, unless the users provide the information.
Many Web surfers have a fear of cookies that is based on ideas from the media that cookies are a dangerous risk to Internet security (Lowe, 2002). However, the majority of cookies are actually harmless.
The Basics of Cookies and Their Impact on Security
According to Joshua Woodruff, E-Business architect at Avaya Communications, Inc. "Internet cookies, or small files that get downloaded to client browsers when surfing sites, can potentially expose a significant security risk."
The cookie file can contain information such as user IDs and passwords, credit card numbers, social security numbers, or any other piece of information the organization handing out the cookie feels it needs to store on a client system. This file exposes information that is then vulnerable to hackers who may be able to get onto a client system via the Internet and copy these files.
Why are cookies used then? This kind of information helps organizations track new and repeat visitors, provide automatic sign in, and pre-populate web pages with information entered the last time the client visited the site, among many other things. According to Woodruff, it "is completely up to the whims of the organization handing out the cookie as to what may be contained in the file and what it's used for."
Therefore, it is not necessarily the cookie itself that poses a security risk, but rather the level of expertise and professionalism used on the other end - the web development teams within these organizations that build the code for these cookie files and functions (Sterne, 1997).
When asked how to tell what level of skill and scrutiny a particular web developer has when visiting a particular web site, Wooduff's answer was, "You can't! Any time you visit any web site, you are exposing yourself to the code that's been written by a particular team of developers whom you can only hope use strict security guidelines in their development practices. Of course most professional, major web sites, such as Dell.com and Amazon.com, would not code cookies in such a way to expose any potential risk - right? But how do you know for sure?"
Protection is offered in the way of client browser controls. A client browser can be configured to accept any and all cookies, allow cookies only from sites it "trusts" (which a user could configure), or not allow any cookies (Gunderson, et al., 1996).
This presents the familiar scenario of security vs. usability - if a browser is configured for high security and set to not accept cookies at all, a lot of web sites will not be able to deliver full functionality to the client, where as if the browser was configured for low security, the client may be able to experience full featured web sites but at the same time exposes itself to vulnerabilities (NetScape).
Most reputable Web pages will have links to their security guidelines and even explain their usage of cookies. This information is provided to enhance awareness of the usage of information and should be used for Internet security.
Weighing the Benefits of Cookies with Their Threat to Internet Security
Cookies are mechanisms developed by the Netscape Corporation to make up for the stateless nature of the HTTP protocol (Netscape). Without cookies, every time a browser requests the URL of a page from a Web site, the request is treated as a completely new interaction.
The request, which is often just the most recent in a series of requests as the user browses through the site, may be lost. While this makes the Web more efficient, this stateless behavior makes it difficult to create things, such as shopping carts, that must remember the user's actions over a long period of time (Philips, 1995).
One of the major issues surrounding Internet security in today's society is keeping information secure and private. The Internet is a public network, so information can easily be shared with or stolen by others.
Fundamentally, cookies are harmless pieces of text. They cannot be used as a virus and cannot access the hard drive. However, cookies, when transmitted through a website, can have an impact on Internet security.
However, cookies can negatively affect user security when they are used for other purposes (Andrews). When a browser accesses and surfs Web sites, it leaves a trail of information across the Internet, including the name and IP address of the computer, the brand of browser used, the operating system that is run, the URLs of the Web pages accessed, and the URLs of the pages last viewed (p. 17).
Dangers of Cookies to Internet Security
Cookies basically enable companies or individuals to follow this trail to learn about the Web browsing habits of the user.
For example, the DoubleClick Network develops profiles of individuals using the World Wide Web and sends them advertising banners customized to their interests (Descy, 1999). DoubleClick's clients are Web sites that want advertise their services.
Each of Doubleclick's clients becomes a host for the advertising of other members of the network. The clients also create advertisements for their products and services, and submit them to DoubleClick's server.
Each Web site uses it site to link with DoubleClick. If a user views on these pages, his browser automatically links to DoubleClick's server to retrieve one of its member's advertisements and return it to the browser. When the user reloads the page, a different advertisement appears (p. 50).