What Are Cookies? The Good and the Bad of Browser Cookies
DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.
You can’t visit a website these days without getting one of those troubling notifications. You know: “This site uses cookies…” A pop-up window implores you to accept or reject cookies. The website may offer you an opportunity to accept all cookies or no cookies or just certain kinds of cookies. And it demands an answer.
It’s all quite alarming.
Here’s what you need to know: While cookies can compromise your presumption of digital privacy in unnerving ways, they can’t infect your system with viruses or other kinds of malware.
What Are Cookies For, Anyway?
Cookies – you can refer to them as browser cookies, HTTP cookies, web cookies, computer cookies, or even their original name, “magic cookies” – were invented to address a fundamental weakness in the computer language that browsers and websites use to communicate with each other.
The language is HTTP, the hypertext transfer protocol. The weakness is statelessness.
Statelessness is essential to the way the web works. When you request a web page, the communication lasts just a fraction of a second. Your browser transmits the request to the web server’s address and the web server transmits the page to your address. Then you are disconnected. With internet cookies or without them, the wired and wireless digital paths that supported the data transfer are now free for other users and websites. It’s just how the system works.
Statelessness is great for supporting millions of users on data transmission lines and for websites that are serving up pages to hundreds or thousands of people at once.
A stateless system works like a vending machine. The machine doesn’t know who you are, how long you’ve been standing there, or whether you’ve bought something before. It simply accepts your money and gives you a product in return. That’s the internet without browser cookies.
There’s a problem with statelessness. Suppose you log on to a website. The home page directs you to another page on the site. You click, and…hey, wait a minute. How does the new page know who you are? How does it know you’re logged on? In a stateless system, the new page should require you to log in again.
You have experienced the power of cookies.
In 1994, a software engineer at Netscape proposed a way of solving the second log-on problem and adding state to the internet. A programmer of solid nerd credentials, Lou Montulli referred to the little data packets in his proposal as “magic cookies,” and they’ve been known as cookies ever since.
In 1997, Montulli’s web cookies were adopted by the Internet Engineering Task Force, an international open standards body that operates under the authority of the Internet Society. The current version of the standard is embodied in IETF 6265, the specification for a cookie-based “HTTP state-management mechanism.”
Cookies let Netscape’s early websites know if a user had visited the site before. That information lets the site present different information to new users and repeat visitors.
Montulli was already thinking about shopping sites. Without cookies, there would be no way to transfer the list of products you want to the check-out page. Montulli proposed that the list be stored in text files on your PC – cookies – until you made a purchase and the list could be deleted.
Without cookie data, every visit to Amazon would require you to keep pen and paper handy so you could write down the website’s code numbers for the books you want. Then you’d have to type the code numbers into the check-out page. Make one typo and you’ll get a cookbook instead of the biography you wanted.
Cookie information makes shopping websites substantially easier to use. But digital cookies aren’t programs. They’re just little bits of text, usually encrypted, that browsers store on your PC or mobile device. They don’t contain your user name or your email address or your passwords. They’re just codes that mean “this user is logged in” or “The Autobiography of Malcolm X.”
Montulli’s eCommerce use case convinced the world that web cookies were a good idea. They’ve been widely used ever since.
If you visit your local newspaper’s website, the front page may dim headlines to gray for articles after you read them. The next time you visit the site, you’ll see at a glance which articles you’ve read and which await you. How’d they do that? Cookies.
You visit a video streaming site and it’s using the night interface theme you like – white text against a black background instead of old-fashioned black on white. How do they know to use that theme when you come back to the site days later? Internet cookies.
The first time you visit a news media website, a pop-up on your internet browser asks whether you would like to receive headlines in your email once a day. You answer yes or no, and the next time you visit the site, there’s no pop-up. How’d they do that? Cookies.
Those are the kinds of everyday tasks Montulli’s magic cookies do. It’s no wonder they are common on websites large and small. They have become an essential part of the web.
Web cookies don’t spread viruses or malware. They can’t read documents or other information from your hard drive. They don’t know and don’t contain your passwords, your email address, or any other personal information. And they can’t control your computer in any way: They can’t send emails or post on social media or erase data.
Flavors of Cookies
The first cookies were session cookies that established whether you were logged in. Browsers store these simple cookies on the user’s PC, and they’re invisibly added to every request you send to the website. Session cookies let you navigate from page to page at a website without logging in every time you load a new page. These browser cookies are erased when you log out or automatically after a specific time period.
Session cookies were soon joined by persistent cookies. These cookies are useful for setting user preferences. For example, you may prefer that your video streaming site use a particular color scheme – white text on a black background, say, instead of the default black on white. When you set this preference, the site instructs your browser to store your preference in a cookie on your PC or mobile device. The site loads the cookie the next time you visit and applies the color scheme – even before you log on.
Every browser stores web cookies in a different way. Netscape Navigator stored cookies in a simple text file called “cookies.txt.” Most modern browsers store cookies in SQLite databases, with certain data encrypted by default. Since every cookie is stored on a local device using a particular browser, it is not possible to synchronize settings – like the color theme of your video streaming site – across multiple PCs or browsers automatically using cookies. If your site syncs up such settings across multiple devices or browsers, then it is not using cookie data to store those settings.
This limitation is leading web developers and computer scientists to think about alternatives to cookies.
Consider the example of a news page that turns headlines gray for each story you’ve read. That’s great on your laptop at home. But if you access the site later from your smartphone or from a PC at your office, none of the headlines will be gray. The influence of cookies is limited to a single browser on a single device. You can’t store the same cookie data on multiple devices. Cookies can’t be read by multiple browsers. If you want to maintain state across multiple browsers or devices, then you’ve got to store state data on the server, not on the user’s PC.
You could think of this data as server-side cookies, but computer scientists call them “sessions” – a term that seems designed to be confusing. Sessions are growing in popularity because more and more people regularly use multiple devices to access the web. Sessions can’t entirely replace cookies, but they’re a great solution in many cases.
What About Those Creepy Cookies?
There’s one more kind of cookies on your computer that you ought to know about. These are the cookies that upset privacy advocates. They’re known as third-party cookies or marketing cookies or tracking cookies.
The idea is simple enough. If you’re an advertiser and you’ve paid to display your ad at a particular website on a per-view basis, you and the site both want to know how many times you ad has been viewed.
With third-party cookies, the advertisement includes code that places a cookie on your computer. The cookie identifies the advertiser, the website, and you. Your identity is an encrypted code that the advertiser can’t read. But it does identify you uniquely.
When you see the same ad at a different site, the browser cookie is updated to indicate that you have seen the ad once more. And the site is added to the list of sites where you have seen the ad.
Now the advertiser knows which websites you visit. The advertiser doesn’t know who you are. Personally identifiable data is encrypted, but the list of sites is associated with the encrypted value that represents you.
If you have browsed for a particular product at an online store and then ads for similar products have followed you around the internet, you have experienced the power of tracking cookies.
Cookies do not contain personally identifiable information. But a data breach could conceivably associate your encrypted user identifier with your online user name or even your real name. Your browsing history could conceivably become a matter of public record.
The session cookies and persistent cookies set by the websites you visit do not track you around the web. These first-party cookies are harmless, and in fact they are essential for getting the most out of the internet. It is the third-party cookies – the marketers’ tracking cookies – that represent a privacy risk. You can eliminate the risk by using an ad blocker, by instructing your browser to reject third-party internet cookies, or by requiring the websites you visit to use first-party cookies only. Clearing cookies or cookies and cache periodically can keep you safe and make your PC run a little faster too.
The Decline of Third-Party Cookies
Because consumers resent being tracked around the internet, third-party cookies are disabled in Apple’s Safari browser and Mozilla Firefox by default.
In January 2020, Google announced that it would end Chrome’s support for third-party cookies entirely by 2022.
Many marketers see Google’s rejection of third-party cookies as the end of a lucrative era in online marketing. “There is no arguing that marketing cookies have been extraordinarily valuable to the entire consumer economy,” says Randall Rothenberg, CEO of the Interactive Advertising Bureau.
“Studies show that the ad targeting they have powered has been worth more than $25 billion to the consumer economy by creating more efficiencies and allowing advertising to more effectively reach interested consumers. Say what you want about ‘those creepy ads that follow you around the internet,’ but consumers undeniably buy based on those ads, and they have helped brands, publishers, and intermediaries grow.”
Google’s decision is in line with increasing government regulation of third-party tracking cookies.
One reason you’re seeing cookie permission dialogs spring up online is that the European Union’s General Data Protection Regulation dictates that website owners throughout Europe must inform users about their privacy rights and acquire consent before installing cookies. GDPR compliance is an important issue not only for European website owners, but for anyone whose sites are accessed by EU citizens.
The GDPR was under development for several years. It became law throughout the European Union – and companies doing business in the European Union – on May 25, 2018. Under the GDPR cookie policy, consumers control what information is gathered and how it is further distributed. The GDPR focuses on tracking and third-party cookies, the ones that can be used to breach your privacy. First-party session cookies and persistent cookies aren’t subject to the GDPR. It is only tracking cookies used by advertisers that are banned.
The European Union does not have the authority to write laws for EU member states. Rather, it creates regulations. Each European country writes and passes its own GDPR-compliant cookie law. Most European countries have not yet implemented the directive.
Websites that operate solely in the United States or countries not covered by the GDPR have a kind of rogue status when it comes to cookie consent law. Some sites provide a statement banner in which they disclose the types of cookies they use, but more often than not they don’t include third-party cookies in the warning. There is no regulation that legally binds them to do so. In the United States, there is no all-encompassing federal cookie law, but there are some states that have enacted their own data protection laws.
The California Consumer Privacy Act of 2018 came into effect in 2019, and it changed things for users and website owners in California. If a particular business is subject to the CCPA, residents of California must have the option to refuse or allow browser cookies.
Google’s decision to eliminate third-party cookie support in the industry’s leading browser adds further fuel to the anti-tracking fire.
Security Threats and Cookie Fraud
To hackers, cookies represent a window they can climb through to gain access to user accounts, especially at carelessly coded websites. In 2017, hackers took advantage of careless coding at Yahoo to gain access to 32 million user accounts by forging cookies that established logged-in sessions without requiring users to log in.
Most cookie-based attacks require the hacker to have control of the server or physical access to the PC on which the user’s cookies are stored. In those cases, a cookie vulnerability is the least of your worries.
Still, browser cookies are sent to and from your browser over the internet, which means they – like any data – could be intercepted and misused by inventive hackers. The security threat is small but measurable. And the digital data collection practices of advertising cookies represent a substantial privacy threat.
Cookies are not dangerous themselves, but they do create opportunities for hackers to take partial control of online sessions, often masquerading as legitimate users. Experts say users should be aware of four main kinds of cookie fraud: cross-site scripting, session fixation, cross-site request forgery, and cookie tossing.
With cross-site scripting, the user receives a cookie after visiting a malicious website. The cookie includes a script payload that targets a third website. The browser cookie is disguised as if it were from the target website. Hackers use cross-site scripting to get past access controls and access sites as if they were verified users.
Session fixation attacks involve hijacking session IDs from ordinary interactions. Hackers use stolen session IDs to perform malicious actions at the target domain, making it appear that the original site user is the guilty party. It’s one reason you don’t want to allow third-party cookies in your browser.
Cross-site request forgery attacks work much the same way. The user visits a target site, then a malicious site, which runs an attack on the original site as if the user were conducting the attack.
With cookie tossing, users receive disguised cookies that look like they originated from a subdomain of the targeted website. As soon as the user visits the targeted website, the subdomain cookie is sent along. But the legitimate cookie data is sent as well. If the targeted website interprets a subdomain cookie first, it will overrule the data in any subsequent legitimate cookies.
None of these are common cookie problems. Cookie fraud is rare. These cookies aren’t viruses and they don’t carry malware. They cannot be executed. But cookie fraud is a worldwide concern, mainly because it could be used to falsify the identity of legitimate users or to co-opt a legitimate user’s identity to perform malicious actions. The most important steps you can take to protect yourself include:
- Keep your browser settings and plug-ins updated.
- Block third-party cookies.
- Choose whether to allow or block cookies on a site-by-site basis.
- Install third-party extensions that promise cookies are deleted after you leave the site.
- Use your browser’s “incognito” mode.
- Install anti-spyware apps and keep them updated.
On February 5, 2020, engineers from Google and Apple submitted version 5 of the technical spec for internet cookies to the IETF. The proposed specification includes new requirements that are intended to block the security holes that allow hackers to commit cookie fraud. The IETF has until August to adopt the draft or to send it back to the authors (or other parties) for further revisions.