More Toilet paper on Aisle Five...! Imagine that, every time you went to the supermarket, your movements within the store were tracked. Someone, somewhere, would have access to which aisles you went down, which items you picked up and examined, which items you bought. Of course, you wouldn't know this information was being collected, or by whom, or for what purpose. "But this is America!" you protest. "It couldn't happen here!" Well, it happens on the World Wide Web through small digital devices called cookies. In this issue of The Web Unraveled, we'll take a look at cookies and some of the issues surrounding them. - John Blower Mail Back Home

Not Available from the Girl Scouts... Cookies sound pretty harmless. Who could possibly object to getting one? Well, these ones are neither Milanos nor the ones you are pressed to buy outside Safeway by the ubiquitous Girl Scouts. So what is a cookie? A cookie is a small bundle - or "nugget" - of information that is sent to your browser from a World Wide Web Server. This block of data can be anything - a unique User ID generated by the server, the current date and time, the IP address of where your browser logged on to the Net, or pretty much anything else. The only limitation is its size, which is 255 characters. After a browser receives a cookie it sends it back to the server that set it whenever it (the browser) requests an HTML page. The browser will only send the cookie to the server that set it. This means that a server can't tell if you have cookies that other sites have set. In other words cookies set by other sites can't be accessed. And so? Cookies have lots of potential applications. They could, for example, be used for site personalization. Suppose you don't want to see banner advertisements when you visit a certain site. The site owner could set a cookie which allows you to deselect banner ads. This option would prevail until the cookie expired. However, the most common use - and the one most open to abuse - is to track the movements of site visitors. A cookie can provide a "virtual trail" of an individual visitor through a site as well as provide a more accurate count of site visitors. A Web site can also use cookies to record information visitors might enter about themselves, such as a credit card number typed in to order flowers or a plane ticket. That's where privacy issues start. Imagine a nosy Java programmer who cooks up applications that look for the information stored in cookies... But a Java programmer who could do that could also get access to just about anything on your hard drive - and you could lose a lot more than your cookies. Of course, most of the information cookies routinely collect is already available in one form or another. My own server statistics, for example, identify individual servers and the browsers used by visitors. A recent visit to the Center for Democracy & Technology Privacy Demonstration Page told me the following without the benefit of a cookie: The issues around cookies, then, are not really about the collecting of information per se. After all, information has been collected about our buying and viewing habits for years. Rather they fall into two major areas. The first issue concerns the site user's knowledge that information is being collected in cookie form at all. Cookies have been around since Netscape v2.0. But it is only in the six months or so since the launch of Netscape v3.0 that they have become an issue. Privacy advocates, such as The Electronic Frontier Foundation make a convincing case for consumers to be informed upfront that they are subject to data-collection by site providers. Indeed, Netscape v3.0 allows users to decide whether or not they wish to accept cookies. If you want to disallow cookies in Netscape v3.x, select the OPTIONS menu. From within that, select the NETWORK PREFERENCES MENU item. From the window that appears, select PROTOCOLS. Next, locate the section labeled SHOW AN ALERT BEFORE. Now check the box ACCEPTING A COOKIE. From here on out, every time you encounter a server which wants to set a cookie, Netscape will present you with a dialog box like this: It gets tedious constantly encountering the dialog box, but users at least have a measure of control. The second area of concern is the use to which the data gathered are put and the extent of their distribution. Of course, people have been having their TV viewing habits monitored for years through boxes on top of their sets. The information collected has been used to inform both advertisng and program content. (And look where it's got us. As Bruce Springsteen wailed "Fifty-seven channels and there's nothing on...") While much information may never be used, it can be, and you have little control over it. In the hands of a marketer with a powerful computer, or the government, it is possible to build a detailed profile of your tastes and preferences by monitoring your online activities. The information can be used to send you unsolicited eMail or snail mail, to call you, or even to put you on a list of people likely to support a particular political candidate. For example, if your repeated visits to web sites containing information on cigarettes results in free samples, coupons, or even eMail to you about a new tobacco product, you may not be concerned. However, if your visits to these web sites result in escalating insurance premiums due to categorization as a smoker, this is a vastly different matter. A number of organizations, including EFF, have banded together to address these issues. Under the umbrella of eTrust, they are encouraging site owners to offer users full disclosure about the nature of data to be collected, the uses to which they will be put and the extent of distribution. Users will be alerted by a banner on the site's homepage. Participation is voluntary, and a pilot program is due to be launched in January 1997. We shall see... Sources: Andy's Netscape HTTP Cookie Info Politics Now CDT eTrust