What Are Cookies?

Also known as browser cookies or tracking cookies, cookies are small, usually encrypted text files, located in your browser’s directory. They are used by publishers on the Internet to help users navigate websites and perform certain functions. Thanks to their core role of enhancing usability or site functions, completely disabling cookies may prevent users from using certain websites. This is how some sites know when you return and keep you logged in, or will display a particular page that you like. Often a cookie may be used to show some content only once – say a popup or popunder or some other advertisement that shows only the first time you visit a site and not every single time you change pages or revisit.

Cookies are created when your browser loads a particular website. The website sends information to the browser which then creates a text file. Every time the user goes back to the same website, the browser retrieves and sends this file to the web server. Cookies are created not only by the website that the user is browsing at any particular moment, but also by other websites that run ads, widgets, or other page elements. These cookies govern how the ads appear or how the widgets and other elements function on the page.

Standard uses for browser cookies

Websites set cookies to help authenticate a user if the user logs into a secure area of a website. Login information or credentials are stored in a cookie so that the user may enter and exit the website without having to re-type the same login information over and over again.

Session Cookies

Session Cookies are used by the web server to store information about user page activities so users can easily pick up where they left off on the server’s pages. Without using such cookies, a webpage can not ‘remember’ where you were on your last visit – this can only be done with the use of session cookies. Session Cookies tell the server what pages to show the user so the user doesn’t have to remember where he/she left off or start navigating the site all over again. Session Cookies function almost like a “bookmark” when used on such a site. Similarly, cookies can store ordering information needed to make shopping carts work instead of forcing the user to remember all the items the user put in the shopping cart. This is very useful if your system experiences a disruption in connectivity or your computer ‘crashes’ while you are in thr process of filling a shopping cart.

Persistent or tracking Cookies

Persistent Cookies store user preferences. Many websites allow users to customize exactly how information is presented through site layouts or themes. These customizations make the site easier to navigate and/or lets user leave a part of the user’s “personality” at the site.

Cookie security and privacy issues

Cookies are NOT viruses. Cookies use a plain text format. They are not compiled pieces of code so they cannot be executed nor are they self-executing. Accordingly, they cannot make copies of themselves and spread to other networks to execute and replicate again. Since they cannot perform these functions, they fall outside the standard virus definition.

Cookies CAN be used for malicious purposes though. Since they store information about a user’s browsing preferences and history, both on a specific site and browsing among several sites, cookies can be used to act as a form of spyware.

The way responsible and ethical web developers deal with privacy issues caused by cookie tracking is by including clear descriptions of how cookies are deployed on their site. Privacy Policy Online strives to help web developers generate clear and easy-to-understand information for web publishers to include on their web pages.


Flash Cookies

The University of California at Berkely discovered that a large number of the web’s most popular sites are surreptitiously using a particularly sneaky cookie without informing users in their privacy policies. (SOURCE)

Everybody knows all about standard browser cookies, but Flash cookies are relatively unknown to most web users. Worse still, they are not controlled through the cookie privacy controls in a browser. So then even if a user believes that they have cleared their computer of all cookie like tracking objects, they most likely have not if they have visited a site that uses Adobe’s Flash cookie.

If you think that’s sneaky…

Several services were even using this surreptitious data storage to reinstate traditional cookies that a user deleted, which is called ‘re-spawning’ the report found. Like a bad zombie in a “B” movie, such cookies come back again and again even after you have used your best weapons to kill them. So even if you got rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as the “backup.”

Even the government website, Whitehouse.gov showed up in the report, with researchers reporting they found a Flash cookie with the name “userId.” Whitehouse.gov does say in its privacy policy that it uses tracking technology but it does not mention Flash or tell users how to get rid of the Flash cookie. You like it when the government snoops on you, right?

The funny thing is that the Berkely study was to be used in the government’s proceeding about the use of cookies on federal websites. Federal websites have traditionally been banned from using tracking cookies, despite being common around the web — a situation the Obama administration wants changed.

Congress and federal regulators are looking at ways of controlling the online tracking and advertising industry, whom they feel have failed to make the industry transparent about when, how and why it collects data about internet users. Strangely enough, the government has done no better at this.

Third party advertising networks have previously agreed to a voluntary code of conduct. The code they proposed prohibits little and has no enforcement mechanism. So even with regard to sensitive health information, advertisers are free to collect as much information as they please, just as long as it does not involve an actual prescription.

Berkely’s Chris Hoofnagle, the Director of Information Privacy Programs at the Berkeley Center for Law and Technology tested the top 100 sites to see what their privacy policies said, what their tracking technology actually does and what happens if a user blocks the Flash cookie.

The 2009 study found that 54 of the top 100 Internet sites set Flash cookies, which vary from simply setting audio preferences to tracking users by a unique identifier. Some of these sites merely handle innocuous and useful functions, such as remembering the volume level you preferred when you watched a video or listened to song.

Adobe’s Flash software is installed on an estimated 98 percent of personal computers. Some of the web’s most popular sites depend upon it, such as YouTube, Facebook and Hulu. Every time you see a YouTube video, you are using Flash.

Adobe’s Flash cookie lets a site store up to 100K of information. That’s about 25 times more than what a browser cookie can hold. Pandora.com uses the Adobe Flash cookie’s storage capability to preload portions of songs or videos to deliver smooth and fast playback.

All modern browsers include controls that let users decide what cookies to accept and which to eliminate. Flash cookies are handled differently and do not abide by these rules or controls. These are fixed through a web page on Adobe’s site, where the controls are not easily understood (There is a panel for Global Privacy Settings and another for Website Privacy Settings — the difference is unclear). In fact, the controls are so odd, the page has to tell you that it is the control, not just a tutorial on how to use the control.

Defenders of behavioral ads say that privacy shouldn’t be a concern since cookies really identify a browser, not a person. Moreover, they argue that users would prefer to have relevant ads. Targeted Behavioral Ads could also help save online journalism. Under this theory, Google text ads don’t work on a news story about the governor raising the sales tax, since there’s no product that goes with that context. But if the site knew the reader was in the market for a car, it could show an ad for the new Lexus and earn much more.


Users who want to control or investigate Flash cookies have several options:


Mac OS X:

Where to find your sneaky flash cookies:

  • Windows: LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.
  • Mac OS X: For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys
  • GNU-Linux: ~/.macromedia