Internet: Security Student Paper: Biddle - California Western
Internet: Security Student Paper: Biddle

Cookies: The Diet of the Web

by Lee Biddle

In a recent poll conducted by two major news organizations, Americans ranked the loss of privacy as their number one concern of the 21st century. In large part, this seems to be a reaction to the ever-increasing role that computers, and the Internet in particular, play in our lives.

Politicians and government officials have not been deaf to the concerns of their constituents over privacy. As one commentator notes, "a number of [recent] events confirm that privacy has risen to the top of the political agenda in Washington." The Federal Trade Commission has begun investigations of at least two major Internet companies over their information gathering practices. One Senator is proposing a law requiring clear, concise privacy policies to be posted on every site. Another has moved to form a bipartisan Congressional Privacy Caucus. Lawsuits may also begin to play a role in the debate. A California woman filed a suit against DoubleClick, a leading Internet advertising manager, alleging unfair business practices through violations of privacy policies, and at least two suits have been filed against Amazon.com over the same issues.

At heart of this debate over Internet privacy is a deceptively simple bit of computer code known as a cookie. This paper will explore the issues surrounding the use of this controversial program. While cookies can potentially track a users every move around the Internet, they also allow web pages to be accessed more quickly and for the content to be personalized based on individual interest. Perhaps most importantly, the information gathered by cookies allows web sites to charge higher rates for advertisements, which is the sole source of revenue at many web sites.

I.  How Cookies Work

Cookies are small bits of data, usually a unique string of numbers, placed onto a user’s computer by the host web site. Originally, the cookies were intended to allow a web site to know if a user had been to the site before, and retrieve information that the user had given at previous visits to the web site. The intention was to make web surfing easier by doing such things as allowing a user to just provide a password or a user name at a site once. The popular commercial web site Amazon.com demonstrates a common use of a cookie. When you make a purchase at Amazon, the site will place a cookie on your hard drive. When you next visit the site, the Amazon computer will read that cookie, and be able to identify you by name and recommend a books you may like.

Cookies have now developed to the point where they can tell a web site owner what web page you arrived from, how long you spend looking at the different pages on their web site, and what site you move onto next. This is the equivalent of someone following you around a store and taking notes on everything you look at, or standing over your shoulder as you browse through the newspaper.

The information gathered by cookies can be is very valuable to web site owners. At a basic level, cookies can be used to keep count of new and returning visitors, tell how long since a user has last been to the site, and what pages users seem to enjoy the most based on the length of time each is viewed. At a more advanced level, cookies can be used to tailor advertising and "banner ads" that appear at the top of a web page to specific interests that the cookie holder might have. For example, if a user of the New York Times web site most often reads a technology news story, when the user returns to the web site only ads for computers might appear at the top of the page. If a user arrives at site selling sporting goods from a web site that reports golf news, they may see ads or links directing them to golf equipment. An owner of a web site can charge an advertiser at least twice for ads targeted to those likely to have an interest in that advertisers product.

There are limits on the power of cookies. Cookies cannot, by themselves, identify you as anything more than the random number assigned to your hard drive at your first visit to the web site. If you provide no information about yourself to the web site, the cookie maybe able to build a profile of how your computer browses that web site, but it cannot tie that information to your name. Only if you provide a web site with information such as your name, home address, or e-mail address can the person behind the computer holding the cookie be identified. In addition, the person who placed a cookie on your hard drive can only read the cookie that they left on your computer. Amazon.com, cannot, on its own, read your other cookies and information associated with them cannot be accessed.

II.  Advanced Uses of Cookies

As mentioned above, cookies can allow content of a site to be personalized to your interests and advertisement rates to be increased, but the program cannot, by itself, identify specifically who you are. If this was all that cookies were going to be used for, they may never become subject to much public outrage. However, several companies are striving to be able to link the information gathered by cookies to specific individuals. The "holy grail" is the ability to target an ad to a specific, known individual, based on a profile of interests and spending patters gathered from cookies and other online and off-line sources of information. Advertisers are willing to pay up to ten times more to a web site for an ad that can be targeted so precisely.

DoubleClick, Inc. is the company closest to implementing this vision. Currently valued at over $12 billion, the company is the leading distributor of web advertising. Few web site directly control their own advertising, instead they allow DoubleClick to dictate what ads a user of their site may see. When someone arrives at, for example, the AltaVista site, they see the content that AltaVista decides to provide them. However, AltaVista leaves a "hole" near the top of their web page- a place for an ad banner to appear. DoubleClick computers are then notified, and an appropriate ad is sent by DoubleClick to fill the "hole" at the top of the user’s page. Essential, the ad banner acts as a web page within a web page; it is a direct connection from the web user to the DoubleClick computer, even though the user only believes that they are visiting one site, in this example, AltaVista.

DoubleClick utilizes cookies to tract users who "visit" a DoubleClick web site. In the course of a day of web surfing, a web user may come across a dozen or so web site that host DoubleClick ads. At each visit, the DoubleClick cookie is activated. DoubleClick is therefore able to build a profile of a web user much more detailed than any one site could. At present, the company has profiles associated with over 100 million cookies that have been placed on web users computers. The DoubleClick cookie allows the company compile information on all the DoubleClick partner sites you have visited, what pages you viewed at each site, what ads you see, and what whether or not you responded to the ad.

Again, DoubleClick’s cookie does not know your name, address, income, or other personal information, unless you provide it. In an effort to get people to provide DoubleClick with that information, the company has created its own web sites, such NetDeals.com, which holds sweepstakes and raffles and can easily be entered- just provide some information about yourself, such as address and occupation. Similarly, a web site working with DoubleClick can pass along any information you provide to them along to DoubleClick, which can then associate it with your cookie profile.

Until November of 1999, DoubleClick’s official privacy policy stated that no personally identifying information, such as your name, would be associated with the cookie profile built by the company. Any information the company was able to gather would on be associated with your cookies number. However, in November, DoubleClick spent nearly $2 billion to buy Abacus Direct, a marketing firm that has built a massive database working with catalogue companies and from warranty cards. The company has now announced that it will combine personal identifying information with cookie data, but only information provided by users to select web sites that are part of the "Abacus Alliance" and only when the user chooses to allow the information to be complied. Privacy advocates have little faith that consumers will be aware of what allowing DoubleClick to collect this information will mean, and even less faith that DoubleClick will make an honest effort to educate them.

III.  The Next Step: Privacy the Price of Freedom?

What has made the World Wide Web a popular place is the price- nearly all of the vast quantities of information on the web is free. In fact, very few sites that charge for content have been able to survive. Of course, everybody knows there is no such thing as a free lunch. Information about you, your web surfing habits and your spending patterns is valuable currency on the Internet. The one and only revenue source that most content providers have is advertising sold on their web site, and the more information that they can gather, the more that they can charge for those ads.

At present, very few web companies make money; only 12 of 400 publicly traded Internet companies are expected to show a profit in 2000. Undoubtedly, investors will begin to pressure companies to find ways to make money. At the same time, those who advertise on the web are demanding that their advertisement budgets be spent of effective, efficient advertising, targeted to the markets they serve. The combination of these two pressures, to raise more revenue and make ads effective, is why many web companies find information gathering conducted by DoubleClick and others so valuable.

As mentioned in the beginning of this paper, consumers are concerned about privacy, and politicians are reacting. What needs to be remembered is that we now pay for using web sites not with money, but with information. If this information cannot be collected, much of the landscape of the web may change, and we must decide if that is for the better.