by Tara Adiseshan and Jen Kagan

Digital security advocates keep hounding me to clear my cookies. From all the surveillance toolkits1 that have increasingly been circulating since the November election, the understanding of cookies that has coalesced in my brain is something like this: cookies are creatures living in browsers and ratting on me to my favorite online stores about what I like, but also to sketchy advertisers and maybe even the NSA. So having them is bad. Then again, when I delete them all, the accounts I had been logged into kick me out and demand that I re-enter my password. So getting rid of them is also bad. What’s at the core of this strange feature of cookies? What are they actually for, how do they actually work, and how can I make better decisions about which ones to keep and which ones to clear? Tara and I (Jen) scoured the internet in search of answers.

Cookies Are Pieces of Text

For most folks, the word “cookie” probably first brings up visions of chocolate chips and baking. On the web, cookies are pieces of text that are placed on your computer by the websites that you visit.

Let’s say you’re going to Facebook for the first time on a new device. You type the URL https://www.facebook.com into your browser and hit enter, making an HTTP request for all the data on the website. Essentially, you’re requesting that Facebook send you the webpage associated with the URL. Facebook sends you back the login page, which you experience in front of you, along with a few cookies in the background. You log in and start scrolling through your newsfeed.

image05.jpg

From the moment these cookies are placed on your computer, they serve to identify you until you clear your cookies; they don’t go away when you close the tab or window you’re in. If you close your Facebook tab and go to Facebook.com later, some of the cookies on your computer from earlier are then included in your HTTP request. Because the cookies on your computer are unique to you, Facebook also now has information about you—things like the browser, IP address, and device type you accessed from, time zone, and the fact that you’ve logged in on this device before. This time, when you type in the URL and hit enter, your newsfeed loads instead of the generic login page.

image02.png

Cookies Are Mementos

We now take it for granted that websites “remember” us, but the web didn’t always have a concept of memory. Cookies were invented to solve this problem. In 1994, Lou Montulli, an engineer at Netscape, was building an e-commerce platform for a telecommunications client. His challenge was to create a shopping cart that could associate the items in the cart with the user who put them in there, without having to save information about partial transactions on the client’s server. Lou’s solution was the cookie, which provided a way for the server to get updates about the shopping cart’s “state” from the user. Cookies were quietly introduced to the Netscape browser in 1995. Most Netscape users didn’t know about cookies until the Financial Times published an article about them in 1996. After much subsequent media coverage, a working group was formed within the Internet Engineering Task Force to develop specifications and recommendations around cookies.

image04.png

The shopping cart cookie, referred to as a first-party cookie, seems like a benign and useful solution to a common problem. As an early privacy measure, cookies could only be set by the site that was being requested. In other words, if I go to facebook.com, only facebook.com is allowed to set cookies on my browser.

But there’s a loophole that advertisers quickly took advantage of: If a web page contains “third-party components” like ads, those ads are often loaded from the advertiser’s domain. If I go to something.com, I’m inadvertently also requesting content from advertiser.com in order for ads to display. By requesting content from advertiser.com, I’m unknowingly giving them permission to set cookies on my browser.

It turns out that many early computer scientists and privacy advocates involved in the development of the cookie were worried about that too. The IETF working group actually advised that browsers either don’t allow the use of third-party cookies, or at the very least, don’t allow them to be enabled by default. It seems like these recommendations were largely ignored by Netscape and Internet Explorer, and most major browsers since have also continued to enable third-party cookies by default.

Cookies Make You Trackable

In the past twenty years or so, many folks have thought extensively about the privacy and security risks cookies pose. By acting as a unique identifier, cookies enable data aggregation and tracking functionalities that have been essential to the advertising industry’s role in shaping the internet. Researchers who conducted an extensive study of Facebook’s usage of cookies wrote about the tracking of users that happens across the internet, even when users aren’t logged into Facebook. They found that if a user visited Facebook.com, cookies were placed on their browser that then communicated with Facebook every time the user visited a site that had a Facebook ‘like’ button. Although Facebook provides an overview of its cookie policy, it’s difficult to know the extent to which Facebook is tracking users across non-Facebook sites. And it’s not just Facebook—most sites enable the usage of third-party cookies, handing data about our browsing habits over to advertisers.

The EFF2, among others34, has warned us about the ways in which cookies can be exploited for surveillance purposes. According to The Washington Post’s coverage of leaked NSA documents, “the NSA and its British counterpart, GCHQ, are using the small tracking files or “cookies” that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie.” The PREF cookie is sent over unencrypted connections, making it easier to read and connect individuals to their browsing history. It’s not entirely clear how the NSA gets access to these cookies—it could be through metadata collection or through collaboration with companies, but the idea that government surveillance can piggyback on corporate advertising technologies is alarming.

There have been attempts at making cookie usage more visible. Perhaps the most well-known is the EU’s somewhat controversial ePrivacy Directive. Introduced in 2011, it requires European websites to gain consent from visitors before using cookies to track them. The directive drew criticism from folks who said that its main effect, having pop-ups about cookies on every European website, was more annoying than illuminating. In January of this year, the European Commission proposed a replacement that would place the responsibility on browsers, rather than individual websites.

Sweet Tools for Expressing Your Preferences about and Blocking Third-Party Cookies

Most browsers already have functionality around dealing with cookies, including letting you configure your tracking preference to Do Not Track (DNT) in your Privacy settings. The DNT option is just an additional HTTP header, so when you set DNT in your browser, your browser adjusts the HTTP header accordingly; the adjusted HTTP requests are what get sent to domains when you request their websites. But, as the specification says, the DNT setting is really just the expression of a preference that you not be tracked, and “expressing a preference does not imply that all recipients will comply.” TL;DR: Even if you set it, many companies ignore the Do Not Track header.

Luckily, there are more effective ways of filtering out third-party cookies. One of the most popular browser extensions for this is Privacy Badger, developed by the Electronic Frontier Foundation. The creators of Privacy Badger explain how exactly it works:

“Privacy Badger keeps note of the “third party” domains that embed images, scripts and advertising in the pages you visit. If a third party server appears to be tracking you without permission, by using uniquely identifying cookies… to collect a record of the pages you visit across multiple sites, Privacy Badger will automatically disallow content from that third party tracker.” Rather than just enabling you to express your preference about tracking, Privacy Badger develops a system for determining whether a domain’s behavior is third-party tracker-like, and then it filters out all the stuff from those domains.

Sweet Tools for Exploring

There are tons of ways to explore the cookies that companies place on your computer! The quick and dirty way is to use the console, accessible through your browser’s Developer Tools. To get to the console, right-click anywhere on the page, select ‘Inspect’ (Google Chrome) or ‘Inspect Element’ (Firefox), and navigate to the ‘Console’ tab. Once you’re there, type document.cookie and behold a series of unintelligible key/value pairs. This is how you’re known to your shopping cart, third-party advertisers, and that one website that remembers you and doesn’t make you log in again.

image01.png

Alternatively, if you’re using Firefox, check out the Developer Tools > Network. You’ll see all the GET and POST requests between your computer and the server who’s sending you the website you’re on. Select a packet, click on the “Cookies” tab, and you’ll see your Request and Response cookies. Request cookies are ones that you, as the client, send to the server, whereas Response cookies are sent by the server.

image00.png

If you browse with Google Chrome, you can view your cookies under Developer Tools > Application > Storage > Cookies.

image03.png

There are also browser extensions called cookie managers that let you navigate your cookies in a more straightforward way. Firefox has Cookies Manager+ and Google Chrome has EditThisCookie. Both are free, and both let you remove, add, and edit cookies.

A few things to try, with either Developer Tools or a cookie manager: Navigate to Facebook.com or Amazon.com, and see how cookie names and values differ based on which website you go to. What do you notice about the expiration dates of the cookies you find? What happens if you clear your cookies and repeat this exercise?

If you’re feeling really ambitious, we set up a bare bones cookie program you can play with to get another perspective on cookies: the server’s perspective. The program uses node.js to set a cookie on your browser, which you can then view in Developer Tools or with one of the cookie manager extensions mentioned above. You’ll need to have node.js installed7. The cookie.js file is where you’ll look to see how to adjust the cookie’s key/value pair… and where you also just might find a bonus Taylor Swift cookie.

Dreaming about the day when you wake up
And find that what you’re looking for
Has been here the whole time

  • Taylor Swift, probably writing about cookies

Tara Adiseshan is a programmer, designer, and digital security trainer who enjoys thinking and building at intersections.

Jen Kagan writes words for humans and computers.

  1. “Protecting Yourself on Social Networks.” Electronic Frontier Foundation, 10 Feb. 2015. Web.
    Shelton, Martin. “Securing Your Digital Life Like a Normal Person.” Tinfoil Press, 14 Dec. 2015. Web.
    Kelley, Noah.“A DIY Guide to Feminist Cybersecurity.” Hackblossom, n.d. Web.
  2. Reitman, Rainey, and Seth Schoen. “NSA Turns Cookies (And More) Into Surveillance Beacons.” Electronic Frontier Foundation Deeplinks blog, 11 Dec. 2013. Web. 
  3. Soltani, Ashkan, Andrea Peterson, and Barton Gellman. “NSA uses Google cookies to pinpoint targets for hacking.” The Washington Post The Switch blog, 10 Dec. 2013. Web. 
  4. Marquis-Boire, Morgan, Glenn Greenwald, and Micah Lee. “XKEYSCORE: NSA’s Google for the World’s Private Communications.” The Intercept, 1 July 2015. Web. 
  5. Here’s a good, one-minute node.js installation tutorial