cookies & privacy

8/8/2019 Cookies & Privacy

http://slidepdf.com/reader/full/cookies-privacy 1/27

Cookies & Privacy

Good Cookie or Bad Cookie?

By Ravi Pai Panandiker

November 21, 2002IST 497E/Giles



O verviewIntroductionWhat is a Cookie? Basic FactsCookies & Paranoia

Getting Creative with CookiesScope of CookiesCookie FixesCookie Taxonomy

Anatomy of a CookieWorking with Cookies: Code & DemoCookie based MarketingCookies, Privacy & LegislationConclusion



What is a Cookie?Short pieces of text generated duringweb activity and stored in the user¶s

machine for future referenceInstructions for reading and writingcookies are coded by website authorsand executed by user browsersDeveloped for user convenience toallow customization of sites withoutneed for repeating preferences



Cookie FactsMost Cookies store just 1 data value

A Cookie may not exceed 4 Kb in size

Browsers are preprogrammed to allow atotal of 300 Cookies, after whichautomatic deletion based on expiry date

and usageCookies have 3 key attributes: name,value and expiry date



Cookies & ParanoiaWhy are Cookies notorious?Most Cookie activity is transparent to the user

Most people do not understand what Cookiescan and cannot doPeople do not know how to protectthemselves from CookiesValid reason: There are organizations outthere using Cookies to track your activities(More later)



Darwinian Evolution: GettingCreative with Cookies

Basic cookie mechanism: Place a piece of information, retrieve it for customization onsubsequent visitsFunctions available: read, write, deleteCreative application1: Initialize a cookiecalled counter to 1. Every time user visits,retrieve counter, increment by 1 and re-write.Creative application2: When a user visits,write system date/time in a cookie. Next visitget cookie for last visit. O verwrite with currentdate/time.



Cookie Scope: Cannot DoHave automatic access to personalinformation like name, address, email

Read or write data to hard diskRead or write information in cookiesplaced by other sites

Run programs on your computer



Cookie Scope: Can DoStore and manipulate any informationyou explicitly provide to a site

Track your interaction with parent sitesuch as pages visited, time of visits,number of visits

Use any information available to webserver including: IP address, O peratingSystem, Browser Type



Cookie Fixes: Getting in ControlTurn up security level on your browser todisable cookies or prompt for cookieDelete the content of a cookie and then writeprotect itUse JavaScript command to display cookiesby current site/path:JavaScript:alert(document.cookie)

Use 3 rd party software: Cookie Pal,CookieMaster, CookieCrusher to monitor,browse and edit cookies.(Shareware/Freeware)



Cookie Types and TaxonomyBy Lifespan

- Session Cookies (RAM)

- Persistent Cookies (Disk)By Read-Write Mechanism

- Server-Side Cookies (HTTP Header)- Client-Side Cookies (JavaScript)

By Structure- Simple Cookies- Array Cookies



Anatomy of a (Simple) CookieString of text with these 6 attributes:

The domain and path for which the

cookie is validThe name of the cookieThe value of the cookie

The expiration date of the cookieWhether a secure connection neededto use the cookie



Working with CookiesThe domain and path are automaticallyhandled by the browser, script author has nocontrol

For a given domain and path, a script maycreate any number of cookies by specifying aname, value and expiry dateEach (simple) cookie is stored in a separate

text file in Temporary Internet Folder, buttagged to a specific domainCookies are handled by the browser as anO bject called document.cookie and

read/written using object dot notation



Cookie CodeCookies may be read/written byserver-side or client-side code

Server-side Cookies are executed bythe web server and instructions includedin HTTP header for the pageServer-side Cookie languages:Perl/CGI, ASP/VBScriptClient-side scripts: JavaScriptembedded in page HTML



A Typical Cookie AlgorithmStart:

O n page load

IsCookieempty?

Read Cookie

Write new Cookie.Prompt for info if

necessary.

Use Cookie info tocustomize/login etc

Update Cookie Continue loadingpage«

Y

N

© Ravi Pai Panandiker



Cookie Code: JavaScriptJavaScript code uses 3 standard functionsthat are defined in the HTML <head> tag:getCookie(cookieName)setCookie(cookieName, value, expDate)delCookie(cookieName)

All Cookie manipulation is performed using

these 3 functions and regular algorithmicconstructs All functions are automatically performed onthe cookie object of that domain/path



Cookie Demo: JavaScripthttp://www.personal.psu.edu/ryp105/cookies



Cookie Based MarketingWh at is it?User customized online advertising and

marketing system that uses Cookiesand databases to create, maintain andutilize consumer profiles and monitor their activity



Cookie based MarketingH ow does it work?Companies like DoubleClick.net,

adserver.com and adflow.com havedeveloped an innovative system (usingstandard technologies) for this purpose.They tie up with popular websites likeYahoo, Amazon to create an extensivedata and information sharing network



Cookie based MarketingH ow it works contd.Code developed by the company isplaced on these web sites.When you hit another such site, it sendsdata placed in your cookies toDoubleClick and retrieves marketinginformation about you enabling them tocustomize ads etcResult: O ne person may see ads for sports goods and another for babyclothes



C ookie based Marketing - Sc h ema

User C omputer

W eb Server Ad Server

GET- Cookie based info

- User ad server id- IP address

SEND- Regular page content

- Targeted advertising

GET - Consumer profile and/or - Targeted banner ad

SEND - User ad server id- IP address

© Ravi Pai Panandiker



Cookie Viruses?O n most platforms, Cookies are stored as textonly files. To cause damage the Cookie mustbe an executable

O n Windows, text files are non-executableand would open in a text editor if doubleclickedIn general, there are easier loopholes for a

hacker in ActiveX controls, O utlook ExpressetcThe threat from Cookies is not from what theycan do to your computer but what information

they may store and pass on



Cookies, Privacy and LegislationConcern about misuse from Governmentagencies and non-profit organizations likeInternet Engineering Task Force (IETF),

Electronic Privacy Information Center (EPIC)Study by govt.¶s Computer Incident AdvisoryCommittee (CIAC) in 1998Bulletin concluded that there was more hypethan hazard from Cookies.

Agreed that tracking people¶s browsing habitsmakes many users uncomfortable



Cookies, Privacy & LegislationNew proposal put forward by IETF together with Netscape and Microsoft to modify theCookie standard.

Proposal is being backed by leading non-profit organizationsProposal will limit persistence and makeCookie activity more transparent.

Key aspect of proposal is to disallow 3 rd partyserver access to cookies.Would destroy Cookie based marketing.



ConclusionCookies were originally created as harmlesspieces of text for user convenience

Along the way, some evil geniuses found away to exploit them for businessMost studies conclude are not harmful touser: Would you rather see an ad for aproduct that¶s relevant or one you¶d never

buy?The paranoia arises from the invisible natureof cookie transactions and inadequateinformation about their ability.



Sourceswww.cookiecentral.comwww.echoecho.com

www.wmlpulse.comwww.epic.orgwww.ciac.org

www.howstuffworks.comwww.webmonkey.comwww.ozemail.com.au

cookies & privacy

Documents